Hello,
Am Montag, 23. Oktober 2006 20:43 schrieb Quanah Gibson-Mount:
> --On Monday, October 23, 2006 6:48 PM +0200 Thorsten Schmidt
>
> > I noticed that I (slapd? slapindex?) created some index files owned by
> > root by accident after introducing new index-directives for samba in
> > slapd.conf
> >
> > However, even if I've done terrible wrong by running slapindex as root, I
> > strongly recommend showing a warning message if slapindex is up to
> > produce an inconsistent database (database, that openldap is unable to
> > read by debian defaults).
> >
> > Btw. I've set serverity: important, since inconsitent LDAP-DBs might
> > cause system to fail as a whole. Feel free to set it to wishlist.
>
> Well, the problem definitely stems from running slapindex as root, rather
> than as the openldap user. There is nothing actually wrong with the
> database that was created, simply fixing the permissions afterward should
> resolve any issues. If it is not already in the debian documentation, I
> would agree that it needs to be strongly advised that if one intends to use
> the slap* tools, then they need to do it as the same user as OpenLDAP is
> running as, or otherwise they'll run into these types of permissions
> issues. This really isn't that different from any number of other
> applications that run as their own user.
man slapindex: nothing - slapindex even doesn't support runnig as a different
user like slapd does
README.Debian.gz: nothing
info: slapindex: nothing
However, I suggest applying the attaced patches.
Greets Thorsten
--- openldap-old/doc/man/man8/slapindex.8 2006-01-03 23:16:06.000000000 +0100
+++ openldap2.3-2.3.27/doc/man/man8/slapindex.8 2006-10-24 20:21:16.000000000 +0200
@@ -90,6 +90,10 @@
should not be running (at least, not in read-write
mode) when you do this to ensure consistency of the database.
.LP
+slapindex ought to be run as the user specified for
+.BR slapd (8)
+to ensure correct database permissions.
+.LP
This command provides ample opportunity for the user to obtain
and drink their favorite beverage.
.SH EXAMPLES
--- openldap-old/servers/slapd/slapindex.c 2006-01-03 23:16:16.000000000 +0100
+++ openldap2.3-2.3.27/servers/slapd/slapindex.c 2006-10-24 20:14:46.000000000 +0200
@@ -34,6 +34,8 @@
int
slapindex( int argc, char **argv )
{
+ if(geteuid() == 0)
+ fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck database permissions!\n\n");
ID id;
int rc = EXIT_SUCCESS;
const char *progname = "slapindex";
