slapd creates /nonexistent homedir (and some enhancements...)

Bug #556176 reported by Jorgen Rosink on 2010-04-06
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Medium
Unassigned
Lucid
Medium
Unassigned

Bug Description

Binary package hint: slapd

Sometime ago the Ubuntu slapd package changed the homedir of the openldap user from /var/lib/ldap to /nonexistent.

<quote>
openldap (2.4.17-1ubuntu3) karmic; urgency=low

     + Move openldap user home from /var/lib/ldap to /nonexistent.
</quote>

Now I agree that /var/lib/ldap shouldn't be the openldap homedir, but currently the /nonexistent directory is actually being created while installing slapd, however creating a directory in the root filesytem for no reason is a bug IMHO. Please change this behaviour by not creating the homedir when the openldap user is being created, or better, set the homedir to /var/run/slapd.

I also attached a patch to fix some minor issues I experienced while using the Ubuntu slapd package:

*) As mentioned in #489619 and #506317 which are duplicates of #427842, the default ACL (olcAccess) in the frontend configuration is lacking essential entries. For now #427842 is tagged as wishlist item, that's wrong, the current default configuration is defect and SHOULD be fixed. The two extra olcAccess lines suggested (and in this patch) has NOTHING to do with security or some kind. Please read the (last) comment in #489619 by Quanah Gibson-Mount for explanation (and realize he knows more about OpenLDAP or directory services in general most of us ever will...)

*) The default config database is provided with an admin user (olcRootDN: cn=admin,cn=config) without a password (olcRootPW). It's best-practice to not use both of them anyway, and configure OpenLDAP ACL's with olcAccess attributes, but in the current state this entry is completely bogus and should be removed, or the package installer should ask for a password and provision the olcRootPW attribute ({SSHA} preferred).

*) While playing with slapd and Corosync/Pacemaker cluster stuff, I discovered the slapd init script doesn' t have a status function. I'm trying to create a working OCF compatible script (with monitor stuff) but for now I'm using the default LSB init function for testing. The attached patch adds some simple status checking with LSB compatible exit codes which may be usefull for other purposes.

Thanks for packaging OpenLDAP !!!

Jorgen Rosink (jrosink) wrote :

Above attachment only contains the init script changes, here's the other one.

Thierry Carrez (ttx) on 2010-04-06
Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
summary: - slapd homedir (and some enhancements...)
+ slapd creates /nonexistent homedir (and some enhancements...)
Mathias Gug (mathiaz) wrote :

I've opened bug 562377 to track the addition of the status function to the init script.

In the future please open separate bug for each improvements as it makes things much easier to track.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.21-0ubuntu4

---------------
openldap (2.4.21-0ubuntu4) lucid; urgency=low

  [ Simon Olofsson ]
  * debian/slapd.postinst:
    - Show a message after successful migration (LP: #538848)

  [ Jorgen Rosink ]
  * debian/slapd.init: add simple status checking with LSB compatible exit
    codes (LP: #562377)
  * debian/slapd.init.ldif:
    - remove admin user in default config database (LP: #556176)
    - in default config, add olcAccess entries giving access to controls
      available and cn=subschema (LP: #427842)

  [ Scott Moser ]
  * debian/slapd.scripts-common: Do not create /nonexistent directory
     for openldap user's home (LP: #556176)
  * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
 -- Scott Moser <email address hidden> Mon, 12 Apr 2010 16:16:47 -0400

Changed in openldap (Ubuntu Lucid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers