From 4c2aea096aadb0fef5eb7551b272592dc9d595c0 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Thu, 30 Sep 2021 16:23:37 +0000 Subject: [PATCH] ITS#9639 - Document chroot requirements for slapd. Thanks to dpa-openldap@aegee.org --- doc/man/man8/slapd.8 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 index 8504b3736d..b1bb5d5a9d 100644 --- a/doc/man/man8/slapd.8 +++ b/doc/man/man8/slapd.8 @@ -251,7 +251,13 @@ used as a security mechanism, it should be used in conjunction with .B \-u and .B \-g -options. +options. The chroot environment must contain the Cyrus SASL plugins, the +TLS certificates, and dev/urandom. For Kerberos V: the keytab and the +/var/tmp directory, unless the value of the variable KRB5RCACHEDIR is +changed. For the systemd service with type=notify the file +/run/systemd/notify within the chroot must be bind-mounted to +/run/systemd/notify outside the chroot. The file can be mounted on +ExecStartPre= and unmounted in ExecStartPost=. .TP .BI \-u \ user .B slapd -- GitLab