[389-users] db2ldif as non root user
rmeggins at redhat.com
Tue Oct 13 19:51:15 UTC 2009
Mitja Mihelič wrote:
> Rich Megginson wrote:
>> Mitja Mihelič wrote:
>>> Greetings all fellow Fedora Directory Server users!
>>> Is it possible to dump the database to an LDIF file as a non-root
>>> user ?
>>> I have no problem doing this as root.
>>> I would like to run
>>> /usr/lib/dirsrv/slapd-example/db2ldif -a /tmp/dbdump.ldif -n userRoot
>>> from a remote machine via ssh and I would really like to avoid
>>> connecting to the machine as root.
>>> Has anyone had any experience in doing this if it is at all possible ?
>> You can also use the task interface to invoke this task via LDAP
>> remotely. See /usr/lib/dirsrv/slapd-example/db2ldif.pl for more
> Rich, I tried your suggestion and it worked.
> Here is what I did to get it working :
> - as root: chmod o+rx /usr/lib/dirsrv/slapd-example/db2ldif.pl
> - as user: /usr/lib/dirsrv/slapd-example/db2ldif.pl -D "cn=Directory
> manager" -w secret -a /tmp/dbdump.ldif -n userRoot
> This produced an LDIF dump as it should.
> Since it was written by the ldapmodify command (if I am reading the
> script correctly) it is owned by nobody :
> -rw------- 1 nobody nobody 136140945 Oct 13 09:34 dbdump.ldif
> Of course now the dump cannot be read by the user that initiated the
> I failed to mention that after the dump is created, it is supposed to
> be copied (via scp) to the machine that initiated the dump.
> The remote machine issues the following commands:
> # ssh user at example.com /usr/lib/dirsrv/slapd-example/db2ldif.pl -D
> "cn=Directory manager" -w secret -a /tmp/dbdump.ldif -n userRoot
Instead of remotely executing the db2ldif.pl script, you can use
ldapmodify on the local machine to do the same thing. What I originally
meant was to look at the contents of the db2ldif.pl script, the part
that does the ldapmodify, and just use ldapmodify yourself on the local
> # scp user at example.com:/tmp/dbdump.ldif /home/user/dbdump.ldif
> The only way I see around this problem is to let the server run as a
> user other than "nobody". Or is there another way ?
Note that if you change the server to run as a different user, you will
need to make sure to chown everything currently owned by "nobody" under
/etc/dirsrv, /usr/lib/dirsrv, /usr/lib64/dirsrv, and /var/*/dirsrv. to
be owned by your new user. And change the nsslapd-localuser parameter
in cn=config in your dse.ldif. And change anywhere in o=NetscapeRoot
and /etc/dirsrv/admin-serv where it references "nobody" to be your new
user. This will be quite a painful undertaking. If possible, if you go
this route, I suggest you just start over from scratch (i.e. run
remove-ds-admin.pl) then run setup-ds-admin.pl again, and use your new
user instead of "nobody".
I don't know if there is really a graceful way to do what you are
attempting to do.
> 389 users mailing list
> 389-users at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20091013/5beeb050/attachment.bin
More information about the 389-users