[Pkg-openldap-devel] Bug#485478: give permission to openldap group members to run slapcat
Jack Bates
ms419 at freezone.co.uk
Mon Jun 9 19:14:48 UTC 2008
Package: slapd
Version: 2.4.9-1
Severity: wishlist
We run a daily backup script to dump the contents of our LDAP database
to a version controlled repository, using slapcat. We don't want to run
the backup script as root, so we tried adding the user which does run
the script to the openldap group. Unfortunately we still couldn't run
slapcat because /etc/ldap/slapd.conf is only readable by root, and
/var/lib/ldap is only readable by the openldap user. To get slapcat
working for members of the openldap group, I eventually arrived at the
following permissions:
amos% ls -l /etc/ldap
total 24
-rw-r--r-- 1 root root 245 2008-02-14 12:14 ldap.conf
drwxr-xr-x 2 root root 4096 2007-07-25 19:43 RCS
drwxr-xr-x 2 root root 4096 2006-12-13 07:57 sasl2
drwxr-xr-x 2 root root 4096 2008-03-12 17:20 schema
-rw-r----- 1 openldap openldap 4376 2007-07-25 19:50 slapd.conf
amos% sudo ls -la /var/lib/ldap
total 676
drwxrwx--- 2 openldap openldap 4096 2008-04-16 09:14 .
drwxr-xr-x 60 root root 4096 2008-05-20 07:45 ..
-rw-rw-r-- 1 openldap openldap 4096 2008-06-09 11:34 alock
-rw-rw---- 1 openldap openldap 8192 2008-04-16 09:14 __db.001
-rw-rw---- 1 openldap openldap 2629632 2008-04-16 09:14 __db.002
-rw-rw---- 1 openldap openldap 98304 2008-04-16 09:14 __db.003
-rw-rw---- 1 openldap openldap 565248 2008-04-16 09:14 __db.004
-rw-rw---- 1 openldap openldap 24576 2008-04-16 09:14 __db.005
-rw-rw-r-- 1 openldap openldap 96 2007-07-25 19:40 DB_CONFIG
-rw-rw---- 1 openldap openldap 8192 2008-04-25 16:45 dn2id.bdb
-rw-rw---- 1 openldap openldap 32768 2008-04-25 16:45 id2entry.bdb
-rw-rw---- 1 openldap openldap 107031 2008-06-07 13:42 log.0000000001
-rw-rw---- 1 openldap openldap 8192 2008-04-25 16:45 objectClass.bdb
amos%
My wish is for these to be the default permissions set by the Debian
slapd package, unless there's a risk to letting members of the openldap
group run slapcat? It seems safer than running our daily backup script
as root...
Thanks and best wishes, Jack
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages slapd depends on:
ii adduser 3.108 add and remove users and groups
ii coreutils 6.10-6 The GNU core utilities
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii libc6 2.7-12 GNU C Library: Shared libraries
ii libdb4.2 4.2.52+dfsg-4 Berkeley v4.2 Database Libraries [
ii libgnutls26 2.2.5-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.9-1 OpenLDAP libraries
ii libltdl3 1.5.26-4 A system independent dlopen wrappe
ii libperl5.10 5.10.0-10 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-20 Cyrus SASL - authentication abstra
ii libslp1 1.2.1-7.3 OpenSLP libraries
ii libwrap0 7.6.q-15 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-per 5.10.0-10 Larry Wall's Practical Extraction
ii psmisc 22.6-1 Utilities that use the proc filesy
ii unixodbc 2.2.11-16 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.22.dfsg1-20 Cyrus SASL - pluggable authenticat
-- debconf information:
slapd/tlsciphersuite:
slapd/fix_directory: true
shared/organization: lat
slapd/upgrade_slapcat_failure:
slapd/backend: BDB
slapd/allow_ldap_v2: false
slapd/no_configuration: false
slapd/move_old_database: true
slapd/suffix_change: false
slapd/slave_databases_require_updateref:
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/autoconf_modules: true
slapd/domain: lat
slapd/password_mismatch:
slapd/invalid_config: true
slapd/slurpd_obsolete:
slapd/upgrade_slapadd_failure:
slapd/dump_database: when needed
slapd/migrate_ldbm_to_bdb: false
slapd/purge_database: false
More information about the Pkg-openldap-devel
mailing list