Author: fernando
Date: Wed Jan 29 08:40:48 2014
New Revision: 12645
Log:
openldap-2.4.39. Fix again. Thanks Armin K.
Modified:
trunk/BOOK/general.ent
trunk/BOOK/server/other/openldap.xml
Modified: trunk/BOOK/general.ent
==============================================================================
--- trunk/BOOK/general.ent Tue Jan 28 18:10:40 2014 (r12644)
+++ trunk/BOOK/general.ent Wed Jan 29 08:40:48 2014 (r12645)
@@ -1,12 +1,12 @@
<!-- $LastChangedBy$ $Date$ -->
-<!ENTITY day "28"> <!-- Always 2 digits -->
+<!ENTITY day "29"> <!-- Always 2 digits -->
<!ENTITY month "01"> <!-- Always 2 digits -->
<!ENTITY year "2014">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "&year;-&month;-&day;">
-<!ENTITY releasedate "January 28th, &year;">
+<!ENTITY releasedate "January 29th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!--
version|testing|unstable|development] -->
Modified: trunk/BOOK/server/other/openldap.xml
==============================================================================
--- trunk/BOOK/server/other/openldap.xml Tue Jan 28 18:10:40 2014
(r12644)
+++ trunk/BOOK/server/other/openldap.xml Wed Jan 29 08:40:48 2014
(r12645)
@@ -206,15 +206,26 @@
<screen role="root"><userinput>make install &&
-chown -v -R ldap:ldap /var/lib/openldap &&
-chmod -v 0644 /var/lib/openldap/DB_CONFIG.example &&
-chmod -v 0644 /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
+chmod -v 700 /var/lib/openldap
&&
+chown -v -R ldap:ldap /var/lib/openldap
&&
+chmod -v 640 /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example}
&&
+chown -v root:ldap /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example}
&&
+install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d
&&
install -v -dm755 /usr/share/doc/openldap-&openldap-version; &&
cp -vfr doc/drafts /usr/share/doc/openldap-&openldap-version; &&
cp -vfr doc/rfc /usr/share/doc/openldap-&openldap-version; &&
cp -vfr doc/guide
/usr/share/doc/openldap-&openldap-version;</userinput></screen>
+ <para>
+ Having slapd configuration files and ldap databases in /var/lib/openldap
+ readable by anyone is a SECURITY ISSUE, especially since a file stores
+ admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership
+ were used. Owner is root, so only root can modify the file, and group is
+ ldap, so that the group which owns slapd daemon could read but not modify
+ the file in case of a security breach.
+ </para>
+
</sect2>
<sect2 role="commands">
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
