[Date Prev][Date Next]
Re: cn=config example
> > > On Friday 21 September 2007 06:07:47 Howard Chu wrote:
> > >> Use slaptest instead.
> > > except that slaptest doesn't have a "run as another user" flag, and -u is
> > > already taken :-(.
I was just working with converting a conf file to a config backend and
swear I saw a specific note somewhere to use slaptest (and I knew to use
slaptest). Now poking around a bit I can't find it.
> > Nor do the tools need such an option; you can just use su. The reason slapd
> > can't be started with just "su ldap" is because it may need root privs to
> > open the listener sockets. That's the only reason it has -u/-g options.
> Sure, and I use su in our init script when testing the configuration. But,
> some other distros don't, and don't use -u, and end up creating transaction
> log files as root, preventing startup later.
I don't perceive this as an OpenLDAP problem; it is more of a "bad
distribution! bad!" kind of issue.
> I am not aware of any
> recommendation of using su for slaptest (though it is quite obvious to many,
> it may be worth mentioning explicitly). And, it should certainly be mentioned
> in any documentation covering converting to back-config.
Nah, it is simply obvious/standard practice. Configuring services as a
user or root and then setting permissions as the last step is just how
things are done.
> > > At present, it seems that if you want to do the conversion while slapd is
> > > running, and for a slapd that runs as non-root, something like this is
> > > the best option:
> > > # slapd -u ldap -g ldap -d none -h
> > > ldap://localhost:391/ -f /etc/openldap/slapd.conf -F
> > > /etc/openldap/slapd.d
> > > As then
> > > -The configuration will be converted
> > > -slapd won't start up
> > What makes you say that?
> It will fail to open the database already opened by the running slapd.
I'm confused by all of this; who is going to be converting their
configuration (which one assumes would also include testing the
resulting configuration) while slapd is hot?
> > > -you will see any relevant errors
> > > -all the files will be owned by the ldap user/group
> > > -if it succeeds, a restart of slapd is all that is necessary to continue
> > That seems like far more trouble than just using su...
> It's aobut the same amount of typing:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d
Consonance: an Open Source .NET OpenGroupware client.
http://code.google.com/p/consonance/ - Searching for a bored Cairo# hacker.