On 05/29/2015 01:30 AM, Petter Reinholdtsen wrote:
> 
> [James Valleroy]
>> Currently the LDAP admin password is generated during setup, and printed
>> in the log.
> 
> Why is it printed in the log?  Passwords should never be printed in any
> log.

I'm not sure. My patch will remove this though.

>> The attached patch will save the password to a file that only root can
>> read. Then during first-run, it will be changed to a new, random
>> password.
> 
> Very good to get an unique LDAP password per installation!  But saving
> passwords in clear text on the disk seem like a bad idea.  What about
> not saving it on disk and instead provide a way to reset it as root when
> needed?  Is the ldap password for the admin user needed often?  Can we
> use less privileged users instead?

I found that we can avoid needing the LDAP admin password, by using SASL
external authentication instead of simple authentication. I attached an
updated patch that does the following:

1. Removes password generation during setup. (Although slapd will still
generate a password after install.)
2. During first-run, removes the admin password that slapd generated.
3. Sets root user as the RootDN for the users directory. This allows
users with sudo privileges to run ldapadd/ldapmodify on this directory.

Regards,
James
diff --git a/first-run.d/50_ldap-server b/first-run.d/50_ldap-server
new file mode 100755
index 0000000..6b45da8
--- /dev/null
+++ b/first-run.d/50_ldap-server
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# Remove LDAP admin password. Allow root to modify the users directory.
+
+cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcRootPW
+
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+
+EOF
diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server
index 231e83a..c6c41c2 100755
--- a/setup.d/30_ldap-server
+++ b/setup.d/30_ldap-server
@@ -1,22 +1,14 @@
 #!/bin/sh
 
-DEBIAN_FRONTEND=noninteractive apt-get install -y pwgen
-pwd="$(pwgen -1)"
-
 domain=thisbox
 
 echo slapd slapd/domain string $domain   | debconf-set-selections
-echo slapd slapd/password1 password "$pwd" | debconf-set-selections
-echo slapd slapd/password2 password "$pwd" | debconf-set-selections
 
 DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils
 
 # Make sure slapd isn't running when we use slapadd
 service slapd stop
 
-# slapcat -b cn=config
-
-#slapadd /usr/share/freedombox/ldap/root.ldif
 cat <<EOF|slapadd
 dn: ou=users,dc=$domain
 objectClass: top
@@ -24,5 +16,3 @@ objectClass: organizationalUnit
 ou: users
 
 EOF
-
-echo password: $pwd

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to