[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Permissions, users, startup when install from source

--On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani <oribani@gmail.com> wrote:

My "surprised" comment is in reference to the fact that the default
build of OpenLDAP only supports SHA1, which is widely regarded as
deprecated. Why hasn't the sha2 module been migrated out of the
contrib directory is what I am getting at (which commonly requires
situations like this -- forcing people who wouldn't otherwise do so to
install from source just to obtain this feature). One could argue that
situations like this contribute to the lack of adoption of stronger
password schemes in general. Something of an off-topic tangent.

The "core" of OpenLDAP tries to be as RFC compliant as possible. There is no RFC that I'm aware of that adds SHA2 support. The "contrib" area is for modules that add non-RFC behavior to the stock behavior of OpenLDAP.
Does anyone else know of any yum-compatible repos that have a
sha2-enabled OpenLDAP build in them?  Anyone know anything about the
OpenLDAP packages in RepoForge?

I always build OpenLDAP myself, so no idea.

I naively assume slapd should generally not be run as root. In that
case, is creating a ldap user/group and chowning the openldap-data
directory the only things to do?

For slapd, I think it is generally an administrator preference. You are certainly more secure from any sort of potential root exploit by not running it as root.

As for chkconfig scripts, you can simply google for it... One example of many:

<http://www.faqs.org/docs/securing/chap26sec214.html> This one is clearly a bit old since it looks for slapd.conf and slurpd, but the basic concepts are there.

or you could just look at the one that ships with RHEL/CentOS...



Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration