[James Valleroy]
> Currently the LDAP admin password is generated during setup, and printed
> in the log.

Why is it printed in the log?  Passwords should never be printed in any
log.

> The attached patch will save the password to a file that only root can
> read. Then during first-run, it will be changed to a new, random
> password.

Very good to get an unique LDAP password per installation!  But saving
passwords in clear text on the disk seem like a bad idea.  What about
not saving it on disk and instead provide a way to reset it as root when
needed?  Is the ldap password for the admin user needed often?  Can we
use less privileged users instead?

Also should this code also use chmod 0600?

> +if [ $? -eq 0 ]; then
> +    echo $new_pwd >/etc/ldap/ldap-admin
> +fi

Perhaps also set the owner and group of the file to make sure it has the
value we expect?

The same go for this code:

> +echo $pwd >/etc/ldap/ldap-admin
> +chmod 600 /etc/ldap/ldap-admin

-- 
Happy hacking
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to