On 05/29/2015 01:30 AM, Petter Reinholdtsen wrote: > > [James Valleroy] >> Currently the LDAP admin password is generated during setup, and printed >> in the log. > > Why is it printed in the log? Passwords should never be printed in any > log.
I'm not sure. My patch will remove this though. >> The attached patch will save the password to a file that only root can >> read. Then during first-run, it will be changed to a new, random >> password. > > Very good to get an unique LDAP password per installation! But saving > passwords in clear text on the disk seem like a bad idea. What about > not saving it on disk and instead provide a way to reset it as root when > needed? Is the ldap password for the admin user needed often? Can we > use less privileged users instead? I found that we can avoid needing the LDAP admin password, by using SASL external authentication instead of simple authentication. I attached an updated patch that does the following: 1. Removes password generation during setup. (Although slapd will still generate a password after install.) 2. During first-run, removes the admin password that slapd generated. 3. Sets root user as the RootDN for the users directory. This allows users with sudo privileges to run ldapadd/ldapmodify on this directory. Regards, James
diff --git a/first-run.d/50_ldap-server b/first-run.d/50_ldap-server
new file mode 100755
index 0000000..6b45da8
--- /dev/null
+++ b/first-run.d/50_ldap-server
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# Remove LDAP admin password. Allow root to modify the users directory.
+
+cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcRootPW
+
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+
+EOF
diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server
index 231e83a..c6c41c2 100755
--- a/setup.d/30_ldap-server
+++ b/setup.d/30_ldap-server
@@ -1,22 +1,14 @@
#!/bin/sh
-DEBIAN_FRONTEND=noninteractive apt-get install -y pwgen
-pwd="$(pwgen -1)"
-
domain=thisbox
echo slapd slapd/domain string $domain | debconf-set-selections
-echo slapd slapd/password1 password "$pwd" | debconf-set-selections
-echo slapd slapd/password2 password "$pwd" | debconf-set-selections
DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils
# Make sure slapd isn't running when we use slapadd
service slapd stop
-# slapcat -b cn=config
-
-#slapadd /usr/share/freedombox/ldap/root.ldif
cat <<EOF|slapadd
dn: ou=users,dc=$domain
objectClass: top
@@ -24,5 +16,3 @@ objectClass: organizationalUnit
ou: users
EOF
-
-echo password: $pwd
signature.asc
Description: OpenPGP digital signature

