[Pkg-openldap-devel] Upgrading and changing permissions.
Quanah Gibson-Mount
quanah at stanford.edu
Wed Jun 7 20:52:34 UTC 2006
--On Wednesday, June 07, 2006 10:18 PM +0200 Matthijs Mohlmann
<matthijs at cacholong.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve Langasek wrote:
>> On Sun, Jun 04, 2006 at 03:47:54PM +0200, Matthijs Mohlmann wrote:
>>> - - Upgrade path (From sarge to etch / sid)
>>> When someone wants to upgrade from Sarge to sid and update the
>>> /etc/default/slapd so that the user is changed to openldap. Shall we in
>>> the slapd postinst script update the permissions of every file /
>>> directory in /etc/ldap except for ldap.conf because that one belongs to
>>> libldap2 ?
>>
>> Why would you change the permissions of *any* of these files? The slapd
>> user shouldn't have write access to them.
>>
> The user / admin can have passwords in the slapd.conf configuration. See
> the rootdn and rootpw parameter. That's why I think it's needed to
> change the permissions. Eventually we can change it to root:openldap and
> 0640 so that the openldap user only has read permissions.
>
> The included files from slapd.conf can probably also have passwords.
> (with multiple directories specified in multiple files)
rootdn/rootpw are not related to the user identity slapd runs under.
However, the identity slapd runs under needs to have full permissions to
the database, and if people run db_recover as some other user (like root),
they may get into serious trouble. I personally prefer slapd run as root,
it saves you from headaches.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the Pkg-openldap-devel
mailing list