[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

slapd chroot jail problem

I've installed an ldap server (just apt-get install slapd). I did some changes 
to default installation, like

  adduser slapd
  chown -R slapd.slapd /etc/ldap
  chmod 770 /etc/ldap
  find /etc/ldap -type f -exec chmod 440 {} \;
  find /etc/ldap -type d -exec chmod 770 {} \;
  chown -R slapd.slapd /var/lib/ldap
  chmod 750 /var/lib/ldap
  rm /var/lib/ldap/*
  chown -R slapd.slapd /var/spool/slurpd
  rm /var/spool/slurpd/*

then I added to "/etc/default/slapd"

And then I read about "-r" parameter. I thought "-r" would be a better 
approach than the one I was trying. So I added to /etc/default/slapd"
SLAPD_OPTIONS="-r /home/slapd"

I added this to have slapd chrooted to /home/slapd. But when I did this and 
tried to restart slapd, I get the error:

"No passwd entry for user slapd"

"Of course", I thought, "man says 'slapd will chroot to this directory after 
opening listeners but before reading any configuration files or initializing 
any backends', so slapd has no access to /etc/passwd, and can't see slapd 
entry.". Then I copied /etc/passwd and /etc/shadow (just in case) 
to /home/slapd/etc/passwd, and I got the same error. Then I copy them 
to /home/slapd/passwd, and the same error.

So I thought "I will make slapd start chrooted and after I will search how to 
change user". Then I removed SLAPD_USER and SLAPD_GROUP 
from /etc/default/slapd, and tried to start slapd.
Now the error is different:
"error loading ucdata (error -127)"

So I'm sure the chroot make slapd don't find these files, but I copy them just 
as "/home/slapd" was "/" and I get no difference :(

So someone's got some info about this parameter of slapd? Where is it looking 
for these files with this config? 

I've looked the admin's guide, and the FAQ's, and the man pages and I've found 
nothing. Can any of you help me, please?

PD: I'm writing down everything I'm doing to get slapd going secure. When I'm 
done, I'll send it to you. Help will be apreciate ;)

Reply to: