[Freeipa-devel] IPA service user(s)
Rob Crittenden
rcritten at redhat.com
Wed Feb 22 16:30:37 UTC 2012
For the most part IPA runs its services using whatever the default unix
user is for that service, e.g. Apache as httpd, ntpd as ntp, etc.
389-ds doesn't have a system user. We create one named dirsrv in
ipa-server-install and use that. We also remove this user when uninstalling.
This can leave orphaned files, particularly log files.
We've seen a few problems when upgrading to 2.2 due to this. 2.2 adds a
memcached and a new unix user, memcache. If you've installed IPA,
uninstalled IPA, then install a new package that adds a user (like
memcache) then it will get the dirsrv uid and things go down hill from
there. Your slapd logs, lock, and run dirs will be owned by memcache and
installation will fail very early.
Short-term fix for this is to not delete the dirsrv user when
uninstalling IPA.
Mid-term fix for this is to make dirsrv a known unix service user.
Long-term fix is, well, up for discussion. Should we create an ipa user
and run everything as this? This might require relocating a bunch of
configuration so we can have custom SELinux policy. It also means we
can/could lock down SELinux differently than the default system (read
tighter).
Thoughts?
rob
More information about the Freeipa-devel
mailing list