Thursday January 26, 2006
Thursday January 26, 2006 Frequently-Asked Questions #3: Log File Permissions
Q: Can I configure the permissions used to create the access/error/audit log files?A: Not in current releases. This frequently-requested feature will be available in the upcoming 6.0 release, but it is not currently available in the 5.x server.
The reason that this feature is so frequently-requested is that the Directory Server is currently hard-coded to create log files owned by the user defined in the nsslapd-localuser configuration attribute with permissions of 0600. This means that only this user and the root account (or on Solaris 10, any account with the file_dac_read permission) will be able to read this file. Many customers would like to be able to set the permissions to 0640 so that anyone in the same group as the Directory Server user could at least read the file.
Until the 6.0 version arrives, there are a couple of things that can be done. Some customers have set up a cron job that periodically changes permissions on these files. While it is both simple and effective, it is kind of an ugly hack. Nevertheless, on some platforms it may be about the only effective solution. However, on Solaris a better approach is to run the Directory Server as a role rather than a normal user (I've actually already written about that here). In this case, any user that is a member of that role will be able to assume the role so that they can access the log files and perform any other administrative function that would otherwise require them to become the Directory Server user or would require root access.
See my previous post for all the details, but the basic means of converting the Directory Server user account to a role is to issue the command:
usermod -K type=role dirsrv
(replace "dirsrv" with the name of the account that you actually use for the Directory Server) and then assign a password for that role with the passwd command. Then, for each user that should be allowed to assume this role, issue the following command:
usermod -R dirsrv {username}
The ability to use roles in this manner has been around since Solaris 2.7, so it is available for all versions of Solaris on which we support the Directory Server.
Posted by cn_equals_directory_manager ( Jan 26 2006, 09:39:37 AM CST ) Permalink
Comments:
Post a Comment:
Comments are closed for this entry.
| Archives | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Language | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Links | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Referrers | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Today's Page Hits: 60 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||