--On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani oribani@gmail.com wrote:
My "surprised" comment is in reference to the fact that the default build of OpenLDAP only supports SHA1, which is widely regarded as deprecated. Why hasn't the sha2 module been migrated out of the contrib directory is what I am getting at (which commonly requires situations like this -- forcing people who wouldn't otherwise do so to install from source just to obtain this feature). One could argue that situations like this contribute to the lack of adoption of stronger password schemes in general. Something of an off-topic tangent.
The "core" of OpenLDAP tries to be as RFC compliant as possible. There is no RFC that I'm aware of that adds SHA2 support. The "contrib" area is for modules that add non-RFC behavior to the stock behavior of OpenLDAP.
Does anyone else know of any yum-compatible repos that have a sha2-enabled OpenLDAP build in them? Anyone know anything about the OpenLDAP packages in RepoForge?
I always build OpenLDAP myself, so no idea.
I naively assume slapd should generally not be run as root. In that case, is creating a ldap user/group and chowning the openldap-data directory the only things to do?
For slapd, I think it is generally an administrator preference. You are certainly more secure from any sort of potential root exploit by not running it as root.
As for chkconfig scripts, you can simply google for it... One example of many:
http://www.faqs.org/docs/securing/chap26sec214.html This one is clearly a bit old since it looks for slapd.conf and slurpd, but the basic concepts are there.
or you could just look at the one that ships with RHEL/CentOS...
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration