[389-users] db2ldif as non root user

Rich Megginson rmeggins at redhat.com
Tue Oct 13 19:51:15 UTC 2009

Mitja Mihelič wrote:
> Rich Megginson wrote:
>> Mitja Mihelič wrote:
>>> Greetings all fellow Fedora Directory Server users!
>>> Is it possible to dump the database to an LDIF file as a non-root 
>>> user ?
>>> I have no problem doing this as root.
>>> I would like to run
>>> /usr/lib/dirsrv/slapd-example/db2ldif -a /tmp/dbdump.ldif -n userRoot
>>> from a remote machine via ssh and I would really like to avoid 
>>> connecting to the machine as root.
>>> Has anyone had any experience in doing this if it is at all possible ?
>> You can also use the task interface to invoke this task via LDAP 
>> remotely.  See /usr/lib/dirsrv/slapd-example/db2ldif.pl for more 
>> information.
> Rich, I tried your suggestion and it worked.
> Here is what I did to get it working :
> - as root: chmod o+rx /usr/lib/dirsrv/slapd-example/db2ldif.pl
> - as user: /usr/lib/dirsrv/slapd-example/db2ldif.pl -D "cn=Directory 
> manager" -w secret -a /tmp/dbdump.ldif -n userRoot
> This produced an LDIF dump as it should.
> Since it was written by the ldapmodify command (if I am reading the 
> script correctly) it is owned by nobody :
> -rw------- 1 nobody nobody 136140945 Oct 13 09:34 dbdump.ldif
> Of course now the dump cannot be read by the user that initiated the 
> operation.
> I failed to mention that after the dump is created, it is supposed to 
> be copied (via scp) to the machine that initiated the dump.
> The remote machine issues the following commands:
> # ssh user at example.com /usr/lib/dirsrv/slapd-example/db2ldif.pl -D 
> "cn=Directory manager" -w secret -a /tmp/dbdump.ldif -n userRoot
Instead of remotely executing the db2ldif.pl script, you can use 
ldapmodify on the local machine to do the same thing.  What I originally 
meant was to look at the contents of the db2ldif.pl script, the part 
that does the ldapmodify, and just use ldapmodify yourself on the local 
> # scp user at example.com:/tmp/dbdump.ldif /home/user/dbdump.ldif
> The only way I see around this problem is to let the server run as a 
> user other than "nobody". Or is there another way ?
Note that if you change the server to run as a different user, you will 
need to make sure to chown everything currently owned by "nobody" under 
/etc/dirsrv, /usr/lib/dirsrv, /usr/lib64/dirsrv, and /var/*/dirsrv. to 
be owned by your new user.  And change the nsslapd-localuser parameter 
in cn=config in your dse.ldif.  And change anywhere in o=NetscapeRoot 
and /etc/dirsrv/admin-serv where it references "nobody" to be your new 
user.  This will be quite a painful undertaking.  If possible, if you go 
this route, I suggest you just start over from scratch (i.e. run 
remove-ds-admin.pl) then run setup-ds-admin.pl again, and use your new 
user instead of "nobody".

I don't know if there is really a graceful way to do what you are 
attempting to do. 
> Regards,
> Mitja
> -- 
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20091013/5beeb050/attachment.bin>

More information about the 389-users mailing list