slapd creates /nonexistent homedir (and some enhancements...)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: slapd
Sometime ago the Ubuntu slapd package changed the homedir of the openldap user from /var/lib/ldap to /nonexistent.
<quote>
openldap (2.4.17-1ubuntu3) karmic; urgency=low
+ Move openldap user home from /var/lib/ldap to /nonexistent.
</quote>
Now I agree that /var/lib/ldap shouldn't be the openldap homedir, but currently the /nonexistent directory is actually being created while installing slapd, however creating a directory in the root filesytem for no reason is a bug IMHO. Please change this behaviour by not creating the homedir when the openldap user is being created, or better, set the homedir to /var/run/slapd.
I also attached a patch to fix some minor issues I experienced while using the Ubuntu slapd package:
*) As mentioned in #489619 and #506317 which are duplicates of #427842, the default ACL (olcAccess) in the frontend configuration is lacking essential entries. For now #427842 is tagged as wishlist item, that's wrong, the current default configuration is defect and SHOULD be fixed. The two extra olcAccess lines suggested (and in this patch) has NOTHING to do with security or some kind. Please read the (last) comment in #489619 by Quanah Gibson-Mount for explanation (and realize he knows more about OpenLDAP or directory services in general most of us ever will...)
*) The default config database is provided with an admin user (olcRootDN: cn=admin,cn=config) without a password (olcRootPW). It's best-practice to not use both of them anyway, and configure OpenLDAP ACL's with olcAccess attributes, but in the current state this entry is completely bogus and should be removed, or the package installer should ask for a password and provision the olcRootPW attribute ({SSHA} preferred).
*) While playing with slapd and Corosync/Pacemaker cluster stuff, I discovered the slapd init script doesn' t have a status function. I'm trying to create a working OCF compatible script (with monitor stuff) but for now I'm using the default LSB init function for testing. The attached patch adds some simple status checking with LSB compatible exit codes which may be usefull for other purposes.
Thanks for packaging OpenLDAP !!!
Changed in openldap (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
summary: |
- slapd homedir (and some enhancements...) + slapd creates /nonexistent homedir (and some enhancements...) |
Above attachment only contains the init script changes, here's the other one.