1 files changed, 37 insertions, 0 deletions

diff --git a/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch b/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
new file mode 100644
index 0000000..47fc88a
--- /dev/null
+++ b/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
@@ -0,0 +1,37 @@
+Document in the man page that slapindex should be run as the same user
+as slapd, and print a warning if it's run as root (since Debian defaults
+to running slapd as openldap).
+
+Not suitable for upstream in this form.  This patch needs to be reworked
+to check the BerkeleyDB database ownership and only warn if running as
+root with a database that's not owned by root.
+
+Upstream ITS #5356 filed requesting better handling of this.  Current
+upstream discussion leans towards putting the check into the database
+backend and aborting if slapd is run as a different user than the database
+owner, which is an even better fix.
+
+--- a/doc/man/man8/slapindex.8
++++ b/doc/man/man8/slapindex.8
+@@ -148,6 +148,10 @@
+ should not be running (at least, not in read-write
+ mode) when you do this to ensure consistency of the database.
+ .LP
++slapindex ought to be run as the user specified for
++.BR slapd (8)
++to ensure correct database permissions.
++.LP
+ This command provides ample opportunity for the user to obtain
+ and drink their favorite beverage.
+ .SH EXAMPLES
+--- a/servers/slapd/slapindex.c
++++ b/servers/slapd/slapindex.c
+@@ -34,6 +34,8 @@
+ int
+ slapindex( int argc, char **argv )
+ {
++    if (geteuid() == 0)
++        fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
+        ID id;
+        int rc = EXIT_SUCCESS;
+        const char *progname = "slapindex";