1ba07db975
- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete. * Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2 - Move the slapd.pem file to /etc/pki/tls/certs and edit the -config patch to match to close bz#143393 Creates certificates + keys at an insecure/bad place - also use _sysconfdir instead of hard-coding /etc * Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com> - Add the tls-fix-connection-test patch to close bz#161991 openldap password disclosure issue - add the hop patches to prevent infinite looping when chasing referrals. OpenLDAP ITS #3578
107 lines
4.3 KiB
Diff
107 lines
4.3 KiB
Diff
Force the default db directory to /var/lib/ldap, default to including
|
|
nis.schema and its prerequisites, allow LDAPv2 clients, increase the set of
|
|
indexed attributes for the default database.
|
|
|
|
--- openldap-2.2.13/doc/man/man8/slurpd.8 2004-01-01 13:16:27.000000000 -0500
|
|
+++ openldap-2.2.13/doc/man/man8/slurpd.8 2004-06-15 11:40:04.000000000 -0400
|
|
@@ -120,7 +120,7 @@
|
|
temporary files may contain sensitive information.
|
|
This option allows you to specify the location of these temporary files.
|
|
The default is
|
|
-.BR LOCALSTATEDIR/openldap-slurp .
|
|
+.BR /var/lib/ldap .
|
|
.TP
|
|
.BI \-k " srvtab\-file"
|
|
Specify the location of the kerberos srvtab file which contains keys
|
|
--- openldap-2.2.13/servers/slapd/slapd.conf 2003-12-29 13:10:40.000000000 -0500
|
|
+++ openldap-2.2.13/servers/slapd/slapd.conf 2004-06-15 11:44:23.000000000 -0400
|
|
@@ -3,8 +3,12 @@
|
|
# This file should NOT be world readable.
|
|
#
|
|
include %SYSCONFDIR%/schema/core.schema
|
|
+include %SYSCONFDIR%/schema/cosine.schema
|
|
+include %SYSCONFDIR%/schema/inetorgperson.schema
|
|
+include %SYSCONFDIR%/schema/nis.schema
|
|
|
|
-# Define global ACLs to disable default read access.
|
|
+# Allow LDAPv2 client connections. This is NOT the default.
|
|
+allow bind_v2
|
|
|
|
# Do not enable referrals until AFTER you have a working directory
|
|
# service AND an understanding of referrals.
|
|
@@ -21,6 +25,15 @@
|
|
# moduleload back_passwd.la
|
|
# moduleload back_shell.la
|
|
|
|
+# The next three lines allow use of TLS for encrypting connections using a
|
|
+# dummy test certificate which you can generate by changing to
|
|
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
|
|
+# slapd.pem so that the ldap user or group can read it. Your client software
|
|
+# may balk at self-signed certificates, however.
|
|
+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
|
|
+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
|
|
+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
|
|
+
|
|
# Sample security restrictions
|
|
# Require integrity protection (prevent hijacking)
|
|
# Require 112-bit (3DES or better) encryption for updates
|
|
@@ -49,19 +62,32 @@
|
|
# rootdn can always read and write EVERYTHING!
|
|
|
|
#######################################################################
|
|
-# BDB database definitions
|
|
+# ldbm and/or bdb database definitions
|
|
#######################################################################
|
|
|
|
database bdb
|
|
suffix "dc=my-domain,dc=com"
|
|
rootdn "cn=Manager,dc=my-domain,dc=com"
|
|
# Cleartext passwords, especially for the rootdn, should
|
|
-# be avoid. See slappasswd(8) and slapd.conf(5) for details.
|
|
+# be avoided. See slappasswd(8) and slapd.conf(5) for details.
|
|
# Use of strong authentication encouraged.
|
|
-rootpw secret
|
|
+# rootpw secret
|
|
+# rootpw {crypt}ijFYNcSNctBYg
|
|
+
|
|
# The database directory MUST exist prior to running slapd AND
|
|
# should only be accessible by the slapd and slap tools.
|
|
# Mode 700 recommended.
|
|
-directory %LOCALSTATEDIR%/openldap-data
|
|
+directory /var/lib/ldap
|
|
+
|
|
-# Indices to maintain
|
|
-index objectClass eq
|
|
+# Indices to maintain for this database
|
|
+index objectClass eq,pres
|
|
+index ou,cn,mail,surname,givenname eq,pres,sub
|
|
+index uidNumber,gidNumber,loginShell eq,pres
|
|
+index uid,memberUid eq,pres,sub
|
|
+index nisMapName,nisMapEntry eq,pres,sub
|
|
+
|
|
+# Replicas of this database
|
|
+#replogfile /var/lib/ldap/openldap-master-replog
|
|
+#replica host=ldap-1.example.com:389 starttls=critical
|
|
+# bindmethod=sasl saslmech=GSSAPI
|
|
+# authcId=host/ldap-master.example.com@EXAMPLE.COM
|
|
--- openldap-2.2.13/servers/slurpd/slurp.h 2004-01-01 13:16:42.000000000 -0500
|
|
+++ openldap-2.2.13/servers/slurpd/slurp.h 2004-06-15 11:40:04.000000000 -0400
|
|
@@ -66,7 +66,7 @@
|
|
#define SERVICE_NAME OPENLDAP_PACKAGE "-slurpd"
|
|
|
|
/* Default directory for slurpd's private copy of replication logs */
|
|
-#define DEFAULT_SLURPD_REPLICA_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-slurp"
|
|
+#define DEFAULT_SLURPD_REPLICA_DIR "/var/lib/ldap"
|
|
|
|
/* Default name for slurpd's private copy of the replication log */
|
|
#define DEFAULT_SLURPD_REPLOGFILE "slurpd.replog"
|
|
@@ -75,7 +75,7 @@
|
|
#define DEFAULT_SLURPD_STATUS_FILE "slurpd.status"
|
|
|
|
/* slurpd dump file - contents of rq struct are written here (debugging) */
|
|
-#define SLURPD_DUMPFILE LDAP_TMPDIR LDAP_DIRSEP "slurpd.dump"
|
|
+#define SLURPD_DUMPFILE DEFAULT_SLURPD_REPLICA_DIR "/slurpd.dump"
|
|
|
|
/* Amount of time to sleep if no more work to do */
|
|
#define DEFAULT_NO_WORK_INTERVAL 3
|