Re: slapd access to private key owned by root

To: debian-user@lists.debian.org
Subject: Re: slapd access to private key owned by root
From: Andy Smith <andy@strugglers.net>
Date: Sun, 5 Mar 2023 10:55:07 +0000
Message-id: <[🔎] ZAR1C3PVFpVxNQyc@use>
In-reply-to: <[🔎] 9a65eaae-3f73-82c7-eff4-5d4a77d911bb@ardley.org>
References: <[🔎] 9a65eaae-3f73-82c7-eff4-5d4a77d911bb@ardley.org>

Hello,

On Sun, Mar 05, 2023 at 09:08:57AM +0800, jeremy ardley wrote:
> The problem is when I try and configure private keys for ldap TLS the
> permissions are checked and if it's not owned by openldap and permissions
> 400 or 600 the configuration fails.
> 
> Is there a known solution to this problem?

My TLS key file is owned by the openldap user.

If for some reason you need it to not owned by that user (why?) then
I expect you could either:

- use group readability (i.e. make a group just for this, put openlad
  user in that group ands set the key fiule group readable)

- use POSIX file acl so that openldap user can read TLS key file
  regardless of file permissions

  https://www.server-world.info/en/note?os=Debian_11&p=acl

  I've not tried it for this specific case but I use it so that Exim
  can read its TLS key in the same way, and that works fine.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

References:
- slapd access to private key owned by root
  - From: jeremy ardley <jeremy@ardley.org>

Prev by Date: Re: what method do you prefer for data transfer between nodes?
Next by Date: Re: what method do you prefer for data transfer between nodes?
Previous by thread: slapd access to private key owned by root
Next by thread: Git Branching
Index(es):
- Date
- Thread