[Bug 556176] [NEW] slapd homedir (and some enhancements...)

Jorgen Rosink jrosink at gmail.com
Tue Apr 6 03:48:26 BST 2010


Public bug reported:

Binary package hint: slapd

Sometime ago the Ubuntu slapd package changed the homedir of the
openldap user from /var/lib/ldap to /nonexistent.

<quote>
openldap (2.4.17-1ubuntu3) karmic; urgency=low

     + Move openldap user home from /var/lib/ldap to /nonexistent.
</quote>

Now I agree that /var/lib/ldap shouldn't be the openldap homedir, but
currently the /nonexistent directory is actually being created while
installing slapd, however creating a directory in the root filesytem for
no reason is a bug IMHO. Please change this behaviour by not creating
the homedir when the openldap user is being created, or better, set the
homedir to /var/run/slapd.

I also attached a patch to fix some minor issues I experienced while
using the Ubuntu slapd package:

*) As mentioned in #489619 and #506317 which are duplicates of #427842,
the default ACL (olcAccess) in the frontend configuration is lacking
essential entries. For now #427842 is tagged as wishlist item, that's
wrong, the current default configuration is defect and SHOULD be fixed.
The two extra olcAccess lines suggested (and in this patch) has NOTHING
to do with security or some kind. Please read the (last) comment in
#489619 by Quanah Gibson-Mount for explanation (and realize he knows
more about OpenLDAP or directory services in general most of us ever
will...)

*) The default config database is provided with an admin user
(olcRootDN: cn=admin,cn=config) without a password (olcRootPW). It's
best-practice to not use both of them anyway, and configure OpenLDAP
ACL's with olcAccess attributes, but in the current state this entry is
completely bogus and should be removed, or the package installer should
ask for a password and provision the olcRootPW attribute ({SSHA}
preferred).

*) While playing with slapd and Corosync/Pacemaker cluster stuff, I
discovered the slapd init script doesn' t have a status function. I'm
trying to create a working OCF compatible script (with monitor stuff)
but for now I'm using the default LSB init function for testing. The
attached patch adds some simple status checking with LSB compatible exit
codes which may be usefull for other purposes.

Thanks for packaging OpenLDAP !!!

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
slapd homedir (and some enhancements...)
https://bugs.launchpad.net/bugs/556176
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.



More information about the Ubuntu-server-bugs mailing list