Changeset 2df08064 for server/other/openldap.xml
- Timestamp:
- 01/31/2016 06:49:17 AM (8 years ago)
- Branches:
- systemd-13485
- Children:
- d19fb65
- Parents:
- 957e8a3d
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
server/other/openldap.xml
r957e8a3d r2df08064 7 7 <!ENTITY openldap-download-http " "> 8 8 <!ENTITY openldap-download-ftp "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-&openldap-version;.tgz"> 9 <!ENTITY openldap-md5sum "4 7c8e2f283647a6105b8b0325257e922">9 <!ENTITY openldap-md5sum "49ca65e27891fcf977d78c10f073c705"> 10 10 <!ENTITY openldap-size "5.4 MB"> 11 <!ENTITY openldap-buildsize "53 MB (client), 103 MB (server , additional 5 MB for the tests)">12 <!ENTITY openldap-time "0. 6 SBU (client), 1.1 SBU (server, additional 3.4 SBU for the tests)">11 <!ENTITY openldap-buildsize "53 MB (client), 103 MB (server)"> 12 <!ENTITY openldap-time "0.7 SBU (client), 1.3 SBU (server)"> 13 13 ]> 14 14 … … 35 35 </para> 36 36 37 &lfs7 7_checked;37 &lfs78_checked; 38 38 39 39 <bridgehead renderas="sect3">Package Information</bridgehead> … … 91 91 <bridgehead renderas="sect4">Optional</bridgehead> 92 92 <para role="optional"> 93 <xref linkend="db"/> (not recommended by the94 developers due to license incompatiblities),95 93 <xref linkend="icu"/>, 96 <xref linkend="mariadb"/> or97 <xref linkend="postgresql"/>,98 94 <xref linkend="pth"/>, 99 <xref linkend="unixodbc"/> and 100 <ulink url="http://www.openslp.org/">OpenSLP</ulink> 95 <xref linkend="unixodbc"/>, 96 <xref linkend="mariadb"/> or 97 <xref linkend="postgresql"/> or 98 <ulink url="http://www.mysql.com/">MySQL</ulink>, 99 <ulink url="http://www.openslp.org/">OpenSLP</ulink>, and 100 <xref linkend="db"/> (not recommended by the developers) 101 101 </para> 102 102 … … 138 138 139 139 <warning> 140 <para> 141 If upgrading from a previos installation that used Berkeley DB as 142 the backend, you will need to dump the database(s) using the 143 <command>slapcat</command> utility, relocate all files in 144 <filename class="directory">/var/lib/openldap</filename>, change all 145 instances of <option>bdb</option> to <option>mdb</option> in 146 <filename>/etc/openldap/slapd.conf</filename> and any files in 147 <filename class="directory">/etc/openldap/slapd.d</filename>, and import 148 using the <command>slapadd</command> utility after the installation is 149 completed. 140 <para>If upgrading from a previos installation that used Berkeley DB as 141 the backend, you will need to dump the database(s) using the 142 <command>slapcat</command> utility, relocate all files in 143 <filename class="directory">/var/lib/openldap</filename>, change all 144 instances of <option>bdb</option> to <option>mdb</option> in 145 <filename>/etc/openldap/slapd.conf</filename> and any files in 146 <filename class="directory">/etc/openldap/slapd.d</filename>, and import 147 using the <command>slapadd</command> utility after the installation is 148 completed. 150 149 </para> 151 150 </warning> … … 159 158 160 159 <screen role="root"><userinput>groupadd -g 83 ldap && 161 useradd -c "OpenLDAP Daemon Owner" -d /var/lib/openldap -u 83 \ 162 -g ldap -s /bin/false ldap</userinput></screen> 160 useradd -c "OpenLDAP Daemon Owner" \ 161 -d /var/lib/openldap -u 83 \ 162 -g ldap -s /bin/false ldap</userinput></screen> 163 163 164 164 <para> … … 176 176 --disable-static \ 177 177 --disable-debug \ 178 --with-tls=openssl \ 179 --with-cyrus-sasl \ 178 180 --enable-dynamic \ 179 181 --enable-crypt \ 180 182 --enable-spasswd \ 183 --enable-slapd \ 181 184 --enable-modules \ 182 --enable-rlookups \183 185 --enable-backends=mod \ 184 --enable-overlays=mod \ 186 --disable-ndb \ 187 --disable-sql \ 188 --disable-shell \ 185 189 --disable-bdb \ 186 190 --disable-hdb \ 187 -- disable-ndb \188 --disable-sql && 191 --enable-overlays=mod && 192 189 193 make depend && 190 194 make</userinput></screen> 191 195 192 196 <para> 193 To test the results, issue: <command>make -k test</command>. 197 The tests appear to be fragile. Errors may cause the tests to abort 198 prior to finishing, apparently due to timing issues. The tests 199 take about 65 minutes and are processor independent. 200 To test the results, issue: <command>make test</command>. 194 201 </para> 195 202 … … 202 209 install -v -dm700 -o ldap -g ldap /var/lib/openldap && 203 210 install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d && 204 chmod -v 640 /etc/openldap/slapd.{conf,ldif} && 205 chown -v root:ldap /etc/openldap/slapd.{conf,ldif} && 206 207 install -v -dm755 /usr/share/doc/openldap-&openldap-version; && 208 cp -vfr doc/{drafts,rfc,guide} /usr/share/doc/openldap-&openldap-version;</userinput></screen> 209 210 <para> 211 Having slapd configuration files and ldap databases in /var/lib/openldap 212 readable by anyone is a SECURITY ISSUE, especially since a file stores 213 admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership 214 were used. Owner is root, so only root can modify the file, and group is 215 ldap, so that the group which owns slapd daemon could read but not modify 216 the file in case of a security breach. 217 </para> 211 chmod -v 640 /etc/openldap/slapd.{conf,ldif} && 212 chown -v root:ldap /etc/openldap/slapd.{conf,ldif} && 213 214 install -v -dm755 /usr/share/doc/openldap-&openldap-version; && 215 cp -vfr doc/{drafts,rfc,guide} \ 216 /usr/share/doc/openldap-&openldap-version;</userinput></screen> 218 217 219 218 </sect2> … … 264 263 <parameter>--enable-overlays</parameter>: This switch enables 265 264 all available overlays. 266 </para>267 268 <para>269 <parameter>--disable-bdb --disable-hdb</parameter>: These270 switches disable271 <application>Berkeley DB</application> backend due to272 license incompatiblities with latest version of273 <application>Berkeley DB</application>.274 265 </para> 275 266 … … 308 299 </para> 309 300 </note> 301 302 <para> 303 <command>install ...</command>, <command>chown ...</command>, 304 and <command>chmod ...</command>: 305 Having slapd configuration files and ldap databases in /var/lib/openldap 306 readable by anyone is a SECURITY ISSUE, especially since a file stores the 307 admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership 308 were used. The owner is root, so only root can modify the file, and group is 309 ldap, so that the group which owns slapd daemon could read but not modify 310 the file in case of a security breach. 311 </para> 310 312 311 313 </sect2> … … 371 373 The <ulink url="http://www.openldap.org/doc/admin24/"> OpenLDAP 2.4 372 374 Administrator's Guide</ulink> (also installed locally in 373 <filename class= "directory">375 <filename class='directory'> 374 376 /usr/share/doc/openldap-&openldap-version;/guide/admin</filename>). 375 377 </para> … … 488 490 <seg> 489 491 /etc/openldap, 490 /usr/lib/openldap, 491 /usr/share/doc/openldap-&openldap-version;, and 492 /var/lib/openldap 492 /{usr,var}/lib/openldap, and 493 /usr/share/doc/openldap-&openldap-version; 493 494 </seg> 494 495 </seglistitem>
Note:
See TracChangeset
for help on using the changeset viewer.