Re: Permissions, users, startup when install from source

[Ori Bani <oribani@gmail.com>]

Thanks for your reply,

>> If compiling and installing from source, I don't see any information
>> in the manual about how to auto-start the software and about
>> process/file/directory permissions and ownership. I'm still searching
>> the Faq-O-Matic (which is a little frustrating).
>>
>> Taking a step back, I'd love to install from yum on RHEL/CentOS and
>> let it be taken care of in a trusted manner. But we require better
>> password hashing than SHA1, so we are required to compile by hand
>> using the passwd/sha2 contributed module (little surprised this isn't
>> accepted into the core project, but I'm sure there are reasons).
>> Maybe I can find this in a third-party repo somewhere?
>
> Not sure what you mean.  the SHA2 contrib module is shipped with every
> OpenLDAP release.  Thus, as best I can tell, it is indeed included.

My "surprised" comment is in reference to the fact that the default
build of OpenLDAP only supports SHA1, which is widely regarded as
deprecated. Why hasn't the sha2 module been migrated out of the
contrib directory is what I am getting at (which commonly requires
situations like this -- forcing people who wouldn't otherwise do so to
install from source just to obtain this feature). One could argue that
situations like this contribute to the lack of adoption of stronger
password schemes in general. Something of an off-topic tangent.

> If you are using RHEL or CentOS, you may be interested in
> <http://ltb-project.org/wiki/download#openldap>

Great.  I will investigate.

Does anyone else know of any yum-compatible repos that have a
sha2-enabled OpenLDAP build in them?  Anyone know anything about the
OpenLDAP packages in RepoForge?

I actually only assumed without testing that the OpenLDAP package in
the CentOS base repo doesn't have the sha2 module compiled in. I
should go back and check that assumption.

Also, reflecting on the installation of the sha2 module, it occurs to
me that short of the CentOS repo package already having sha2 compiled
in, the best course of action is probably to compile only the sha2
module and use it with the CentOS package --- including the module in
the slapd configuration seems to be the extent of integration, so that
should work, no? If so, I think this would be the best option.

>> After installation, what is commonly done in this regard?  Create
>> user/group "ldap" with no login shell and chown ldap:ldap on
>> /usr/local/var/openldap-data?  Is that all?
>
> It depends on your needs.  I have done anything from running slapd as root,
> to running it as a specific user.

I'd welcome pointers to somewhere this is discussed (don't see it in
the docs, maybe in the FAQ?). I don't have needs that are much
different than anyone else.

I naively assume slapd should generally not be run as root. In that
case, is creating a ldap user/group and chowning the openldap-data
directory the only things to do?

>> Then what do people use for auto-starting the software (presumably
>> with -u ldap -g ldap) in a RedHat environment?
>
> I wrote my own startup script that works with chkconfig.
> <http://linuxcommand.org/man_pages/chkconfig8.html>

I'm looking for anyone who wants to share such scripts.

Thanks kindly for your time, much appreciated.