Re: cn=config example

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday 21 September 2007 09:52:03 Howard Chu wrote:
> Buchan Milne wrote:
> > On Friday 21 September 2007 06:07:47 Howard Chu wrote:
> >> Use slaptest instead.
> >
> > except that slaptest doesn't have a "run as another user" flag, and -u is
> > already taken :-(.
>
> Nor do the tools need such an option; you can just use su. The reason slapd
> can't be started with just "su ldap" is because it may need root privs to
> open the listener sockets. That's the only reason it has -u/-g options.

Sure, and I use su in our init script when testing the configuration. But, 
some other distros don't, and don't use -u, and end up creating transaction 
log files as root, preventing startup later. I am not aware of any 
recommendation of using su for slaptest (though it is quite obvious to many, 
it may be worth mentioning explicitly). And, it should certainly be mentioned 
in any documentation covering converting to back-config.

> > At present, it seems that if you want to do the conversion while slapd is
> > running, and for a slapd that runs as non-root, something like this is
> > the best option:
> >
> > # slapd -u ldap -g ldap -d none -h
> > ldap://localhost:391/ -f /etc/openldap/slapd.conf -F
> > /etc/openldap/slapd.d
> >
> > As then
> > -The configuration will be converted
> > -slapd won't start up
>
> What makes you say that?

It will fail to open the database already opened by the running slapd.

> > -you will see any relevant errors
> > -all the files will be owned by the ldap user/group
> > -if it succeeds, a restart of slapd is all that is necessary to continue
>
> That seems like far more trouble than just using su...

It's aobut the same amount of typing:

# su - 
ldap -s /bin/bash -c 'slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d'

So, maybe I'll use this ...

Regards,
Buchan