openldap/openldap-2.2.15-config.patch
fenlason 1ba07db975 * Thu Sep 29 2005 Jay Fenlason <fenlason@redhat.com> 2.2.28-2
- Upgrade to nev upstream version.  This makes the 2.2.*-hop patch obsolete.

* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2
- Move the slapd.pem file to /etc/pki/tls/certs
  and edit the -config patch to match to close
  bz#143393  Creates certificates + keys at an insecure/bad place
- also use _sysconfdir instead of hard-coding /etc

* Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com>
- Add the tls-fix-connection-test patch to close
  bz#161991 openldap password disclosure issue
- add the hop patches to prevent infinite looping when chasing referrals.
  OpenLDAP ITS #3578
2005-09-30 19:29:43 +00:00

107 lines
4.3 KiB
Diff

Force the default db directory to /var/lib/ldap, default to including
nis.schema and its prerequisites, allow LDAPv2 clients, increase the set of
indexed attributes for the default database.
--- openldap-2.2.13/doc/man/man8/slurpd.8 2004-01-01 13:16:27.000000000 -0500
+++ openldap-2.2.13/doc/man/man8/slurpd.8 2004-06-15 11:40:04.000000000 -0400
@@ -120,7 +120,7 @@
temporary files may contain sensitive information.
This option allows you to specify the location of these temporary files.
The default is
-.BR LOCALSTATEDIR/openldap-slurp .
+.BR /var/lib/ldap .
.TP
.BI \-k " srvtab\-file"
Specify the location of the kerberos srvtab file which contains keys
--- openldap-2.2.13/servers/slapd/slapd.conf 2003-12-29 13:10:40.000000000 -0500
+++ openldap-2.2.13/servers/slapd/slapd.conf 2004-06-15 11:44:23.000000000 -0400
@@ -3,8 +3,12 @@
# This file should NOT be world readable.
#
include %SYSCONFDIR%/schema/core.schema
+include %SYSCONFDIR%/schema/cosine.schema
+include %SYSCONFDIR%/schema/inetorgperson.schema
+include %SYSCONFDIR%/schema/nis.schema
-# Define global ACLs to disable default read access.
+# Allow LDAPv2 client connections. This is NOT the default.
+allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
@@ -21,6 +25,15 @@
# moduleload back_passwd.la
# moduleload back_shell.la
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it. Your client software
+# may balk at self-signed certificates, however.
+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
+
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
@@ -49,19 +62,32 @@
# rootdn can always read and write EVERYTHING!
#######################################################################
-# BDB database definitions
+# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
-# be avoid. See slappasswd(8) and slapd.conf(5) for details.
+# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
-rootpw secret
+# rootpw secret
+# rootpw {crypt}ijFYNcSNctBYg
+
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
-directory %LOCALSTATEDIR%/openldap-data
+directory /var/lib/ldap
+
-# Indices to maintain
-index objectClass eq
+# Indices to maintain for this database
+index objectClass eq,pres
+index ou,cn,mail,surname,givenname eq,pres,sub
+index uidNumber,gidNumber,loginShell eq,pres
+index uid,memberUid eq,pres,sub
+index nisMapName,nisMapEntry eq,pres,sub
+
+# Replicas of this database
+#replogfile /var/lib/ldap/openldap-master-replog
+#replica host=ldap-1.example.com:389 starttls=critical
+# bindmethod=sasl saslmech=GSSAPI
+# authcId=host/ldap-master.example.com@EXAMPLE.COM
--- openldap-2.2.13/servers/slurpd/slurp.h 2004-01-01 13:16:42.000000000 -0500
+++ openldap-2.2.13/servers/slurpd/slurp.h 2004-06-15 11:40:04.000000000 -0400
@@ -66,7 +66,7 @@
#define SERVICE_NAME OPENLDAP_PACKAGE "-slurpd"
/* Default directory for slurpd's private copy of replication logs */
-#define DEFAULT_SLURPD_REPLICA_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-slurp"
+#define DEFAULT_SLURPD_REPLICA_DIR "/var/lib/ldap"
/* Default name for slurpd's private copy of the replication log */
#define DEFAULT_SLURPD_REPLOGFILE "slurpd.replog"
@@ -75,7 +75,7 @@
#define DEFAULT_SLURPD_STATUS_FILE "slurpd.status"
/* slurpd dump file - contents of rq struct are written here (debugging) */
-#define SLURPD_DUMPFILE LDAP_TMPDIR LDAP_DIRSEP "slurpd.dump"
+#define SLURPD_DUMPFILE DEFAULT_SLURPD_REPLICA_DIR "/slurpd.dump"
/* Amount of time to sleep if no more work to do */
#define DEFAULT_NO_WORK_INTERVAL 3