[James Valleroy] > Currently the LDAP admin password is generated during setup, and printed > in the log.
Why is it printed in the log? Passwords should never be printed in any log. > The attached patch will save the password to a file that only root can > read. Then during first-run, it will be changed to a new, random > password. Very good to get an unique LDAP password per installation! But saving passwords in clear text on the disk seem like a bad idea. What about not saving it on disk and instead provide a way to reset it as root when needed? Is the ldap password for the admin user needed often? Can we use less privileged users instead? Also should this code also use chmod 0600? > +if [ $? -eq 0 ]; then > + echo $new_pwd >/etc/ldap/ldap-admin > +fi Perhaps also set the owner and group of the file to make sure it has the value we expect? The same go for this code: > +echo $pwd >/etc/ldap/ldap-admin > +chmod 600 /etc/ldap/ldap-admin -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

