Mitja Miheli? wrote: > > > Rich Megginson wrote: >> Mitja Miheli? wrote: >>> Greetings all fellow Fedora Directory Server users! >>> >>> >>> Is it possible to dump the database to an LDIF file as a non-root >>> user ? >>> >>> I have no problem doing this as root. >>> >>> I would like to run >>> /usr/lib/dirsrv/slapd-example/db2ldif -a /tmp/dbdump.ldif -n userRoot >>> from a remote machine via ssh and I would really like to avoid >>> connecting to the machine as root. >>> >>> Has anyone had any experience in doing this if it is at all possible ? >> You can also use the task interface to invoke this task via LDAP >> remotely. See /usr/lib/dirsrv/slapd-example/db2ldif.pl for more >> information. > Rich, I tried your suggestion and it worked. > Here is what I did to get it working : > - as root: chmod o+rx /usr/lib/dirsrv/slapd-example/db2ldif.pl Why? > - as user: /usr/lib/dirsrv/slapd-example/db2ldif.pl -D "cn=Directory > manager" -w secret -a /tmp/dbdump.ldif -n userRoot > > This produced an LDIF dump as it should. > Since it was written by the ldapmodify command (if I am reading the > script correctly) it is owned by nobody : > -rw------- 1 nobody nobody 136140945 Oct 13 09:34 dbdump.ldif > Of course now the dump cannot be read by the user that initiated the > operation. > > I failed to mention that after the dump is created, it is supposed to > be copied (via scp) to the machine that initiated the dump. > The remote machine issues the following commands: > # ssh user at example.com /usr/lib/dirsrv/slapd-example/db2ldif.pl -D > "cn=Directory manager" -w secret -a /tmp/dbdump.ldif -n userRoot Instead of remotely executing the db2ldif.pl script, you can use ldapmodify on the local machine to do the same thing. What I originally meant was to look at the contents of the db2ldif.pl script, the part that does the ldapmodify, and just use ldapmodify yourself on the local machine. > # scp user at example.com:/tmp/dbdump.ldif /home/user/dbdump.ldif > > The only way I see around this problem is to let the server run as a > user other than "nobody". Or is there another way ? Note that if you change the server to run as a different user, you will need to make sure to chown everything currently owned by "nobody" under /etc/dirsrv, /usr/lib/dirsrv, /usr/lib64/dirsrv, and /var/*/dirsrv. to be owned by your new user. And change the nsslapd-localuser parameter in cn=config in your dse.ldif. And change anywhere in o=NetscapeRoot and /etc/dirsrv/admin-serv where it references "nobody" to be your new user. This will be quite a painful undertaking. If possible, if you go this route, I suggest you just start over from scratch (i.e. run remove-ds-admin.pl) then run setup-ds-admin.pl again, and use your new user instead of "nobody". I don't know if there is really a graceful way to do what you are attempting to do. > > Regards, > Mitja > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20091013/5beeb050/attachment.bin
