[blfs-book] r12645 - in trunk/BOOK: . server/other

fernando at higgs.linuxfromscratch.org fernando at higgs.linuxfromscratch.org
Wed Jan 29 08:40:48 PST 2014


Author: fernando
Date: Wed Jan 29 08:40:48 2014
New Revision: 12645

Log:
openldap-2.4.39. Fix again. Thanks Armin K.

Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/server/other/openldap.xml

Modified: trunk/BOOK/general.ent
==============================================================================
--- trunk/BOOK/general.ent	Tue Jan 28 18:10:40 2014	(r12644)
+++ trunk/BOOK/general.ent	Wed Jan 29 08:40:48 2014	(r12645)
@@ -1,12 +1,12 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "28">                   <!-- Always 2 digits -->
+<!ENTITY day          "29">                   <!-- Always 2 digits -->
 <!ENTITY month        "01">                   <!-- Always 2 digits -->
 <!ENTITY year         "2014">
 <!ENTITY copyrightdate "2001-&year;">
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "January 28th, &year;">
+<!ENTITY releasedate  "January 29th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 <!ENTITY lfs-version  "development">          <!-- version|testing|unstable|development] -->

Modified: trunk/BOOK/server/other/openldap.xml
==============================================================================
--- trunk/BOOK/server/other/openldap.xml	Tue Jan 28 18:10:40 2014	(r12644)
+++ trunk/BOOK/server/other/openldap.xml	Wed Jan 29 08:40:48 2014	(r12645)
@@ -206,15 +206,26 @@
 
 <screen role="root"><userinput>make install &&
 
-chown -v -R ldap:ldap /var/lib/openldap                           &&
-chmod -v 0644 /var/lib/openldap/DB_CONFIG.example                 &&
-chmod -v 0644 /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
+chmod -v 700 /var/lib/openldap                                         &&
+chown -v -R ldap:ldap /var/lib/openldap                                &&
+chmod -v 640 /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example}       &&
+chown -v root:ldap /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
+install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d                &&
 
 install -v -dm755  /usr/share/doc/openldap-&openldap-version; &&
 cp -vfr doc/drafts /usr/share/doc/openldap-&openldap-version; &&
 cp -vfr doc/rfc    /usr/share/doc/openldap-&openldap-version; &&
 cp -vfr doc/guide  /usr/share/doc/openldap-&openldap-version;</userinput></screen>
 
+    <para>
+      Having slapd configuration files and ldap databases in /var/lib/openldap
+      readable by anyone is a SECURITY ISSUE, especially since a file stores
+      admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership
+      were used. Owner is root, so only root can modify the file, and group is
+      ldap, so that the group which owns slapd daemon could read but not modify
+      the file in case of a security breach. 
+    </para>
+
   </sect2>
 
   <sect2 role="commands">



More information about the blfs-book mailing list