Thanks for your reply,
If compiling and installing from source, I don't see any information in the manual about how to auto-start the software and about process/file/directory permissions and ownership. I'm still searching the Faq-O-Matic (which is a little frustrating).
Taking a step back, I'd love to install from yum on RHEL/CentOS and let it be taken care of in a trusted manner. But we require better password hashing than SHA1, so we are required to compile by hand using the passwd/sha2 contributed module (little surprised this isn't accepted into the core project, but I'm sure there are reasons). Maybe I can find this in a third-party repo somewhere?
Not sure what you mean. the SHA2 contrib module is shipped with every OpenLDAP release. Thus, as best I can tell, it is indeed included.
My "surprised" comment is in reference to the fact that the default build of OpenLDAP only supports SHA1, which is widely regarded as deprecated. Why hasn't the sha2 module been migrated out of the contrib directory is what I am getting at (which commonly requires situations like this -- forcing people who wouldn't otherwise do so to install from source just to obtain this feature). One could argue that situations like this contribute to the lack of adoption of stronger password schemes in general. Something of an off-topic tangent.
If you are using RHEL or CentOS, you may be interested in http://ltb-project.org/wiki/download#openldap
Great. I will investigate.
Does anyone else know of any yum-compatible repos that have a sha2-enabled OpenLDAP build in them? Anyone know anything about the OpenLDAP packages in RepoForge?
I actually only assumed without testing that the OpenLDAP package in the CentOS base repo doesn't have the sha2 module compiled in. I should go back and check that assumption.
Also, reflecting on the installation of the sha2 module, it occurs to me that short of the CentOS repo package already having sha2 compiled in, the best course of action is probably to compile only the sha2 module and use it with the CentOS package --- including the module in the slapd configuration seems to be the extent of integration, so that should work, no? If so, I think this would be the best option.
After installation, what is commonly done in this regard? Create user/group "ldap" with no login shell and chown ldap:ldap on /usr/local/var/openldap-data? Is that all?
It depends on your needs. I have done anything from running slapd as root, to running it as a specific user.
I'd welcome pointers to somewhere this is discussed (don't see it in the docs, maybe in the FAQ?). I don't have needs that are much different than anyone else.
I naively assume slapd should generally not be run as root. In that case, is creating a ldap user/group and chowning the openldap-data directory the only things to do?
Then what do people use for auto-starting the software (presumably with -u ldap -g ldap) in a RedHat environment?
I wrote my own startup script that works with chkconfig. http://linuxcommand.org/man_pages/chkconfig8.html
I'm looking for anyone who wants to share such scripts.
Thanks kindly for your time, much appreciated.