Mitja Mihelič wrote:
Rich Megginson wrote:Mitja Mihelič wrote:You can also use the task interface to invoke this task via LDAP remotely. See /usr/lib/dirsrv/slapd-example/db2ldif.pl for more information.Greetings all fellow Fedora Directory Server users!Is it possible to dump the database to an LDIF file as a non-root user ?I have no problem doing this as root. I would like to run /usr/lib/dirsrv/slapd-example/db2ldif -a /tmp/dbdump.ldif -n userRootfrom a remote machine via ssh and I would really like to avoid connecting to the machine as root.Has anyone had any experience in doing this if it is at all possible ?Rich, I tried your suggestion and it worked. Here is what I did to get it working : - as root: chmod o+rx /usr/lib/dirsrv/slapd-example/db2ldif.pl
Why?
- as user: /usr/lib/dirsrv/slapd-example/db2ldif.pl -D "cn=Directory manager" -w secret -a /tmp/dbdump.ldif -n userRootInstead of remotely executing the db2ldif.pl script, you can use ldapmodify on the local machine to do the same thing. What I originally meant was to look at the contents of the db2ldif.pl script, the part that does the ldapmodify, and just use ldapmodify yourself on the local machine.This produced an LDIF dump as it should.Since it was written by the ldapmodify command (if I am reading the script correctly) it is owned by nobody :-rw------- 1 nobody nobody 136140945 Oct 13 09:34 dbdump.ldifOf course now the dump cannot be read by the user that initiated the operation.I failed to mention that after the dump is created, it is supposed to be copied (via scp) to the machine that initiated the dump.The remote machine issues the following commands:# ssh user@xxxxxxxxxxx /usr/lib/dirsrv/slapd-example/db2ldif.pl -D "cn=Directory manager" -w secret -a /tmp/dbdump.ldif -n userRoot
Note that if you change the server to run as a different user, you will need to make sure to chown everything currently owned by "nobody" under /etc/dirsrv, /usr/lib/dirsrv, /usr/lib64/dirsrv, and /var/*/dirsrv. to be owned by your new user. And change the nsslapd-localuser parameter in cn=config in your dse.ldif. And change anywhere in o=NetscapeRoot and /etc/dirsrv/admin-serv where it references "nobody" to be your new user. This will be quite a painful undertaking. If possible, if you go this route, I suggest you just start over from scratch (i.e. run remove-ds-admin.pl) then run setup-ds-admin.pl again, and use your new user instead of "nobody".# scp user@xxxxxxxxxxx:/tmp/dbdump.ldif /home/user/dbdump.ldifThe only way I see around this problem is to let the server run as a user other than "nobody". Or is there another way ?
I don't know if there is really a graceful way to do what you are attempting to do.
Regards, Mitja -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
