[Pkg-openldap-devel] Bug#742056: slapd: please add a debconf variable to disable RootPW and use unix permissions instead

Guilhem Moulin guilhem at guilhem.org
Tue Mar 18 17:24:38 UTC 2014 

Package: slapd
Version: 2.4.39-1
Severity: wishlist

Dear Maintainer,

When installing slapd in a non-interactive environment (for instance
using a configuration manager):

  DEBIAN_FRONTEND=noninteractive apt-get install slapd

Currently a new database ‘olcDatabase={1}hdb,cn=config’ is automatically
created, and a ‘cn=admin,…’ entry of objectClass simpleSecurityObject is added
to the directory, and its DN (resp. userPassword attribute) is used as RootDN
(resp.  RootPW) attribute on the database.

  root at fresti: ~# slapcat -n0 -s 'olcDatabase={1}hdb,cn=config' | grep ^olcRoot
  olcRootDN: cn=admin,dc=guilhem,dc=org
  olcRootPW:: e1NTSEF9a3FzRjFJRDdDR3YvZE02bWZOOGFFMWhabGo0NmRwSHY=
  root at fresti: ~# slapcat -n1 -s cn=admin,dc=guilhem,dc=org | grep ^userPassword
  userPassword:: e1NTSEF9a3FzRjFJRDdDR3YvZE02bWZOOGFFMWhabGo0NmRwSHY=

That password being randomly generated upon installation of a fresh directory,
it's not so useful (unless it is preseeded, which is arguably insecure).
Fortunately cn=config (DB #0) is writable by root, so she can reset the RootDN
(and RootPW) on DB #1 to the value of her choice, but it would be convenient to
have a debconf variable disabling password generation altogether and instead set

  olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

so that only the UNIX root have unrestricted access to DB #1 when SASL-binding
to the ldapi:// socket.  (That also removes the need to add a olcRootPW
attribute, or a cn=admin,… entry.)

Thanks!
Cheers,
-- 
Guilhem.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (800, 'testing'), (700, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.13-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.21-1
ii  debconf [debconf-2.0]       1.5.52
ii  libc6                       2.18-4
ii  libdb5.3                    5.3.28-3
ii  libgcrypt11                 1.5.3-3
ii  libgnutls26                 2.12.23-13
ii  libldap-2.4-2               2.4.39-1
ii  libltdl7                    2.4.2-1.7
ii  libodbc1                    2.3.1-1
ii  libperl5.18                 5.18.2-2+b1
ii  libsasl2-2                  2.1.26.dfsg1-9
ii  libslp1                     1.2.1-9
ii  libwrap0                    7.6.q-25
ii  lsb-base                    4.1+Debian12
ii  multiarch-support           2.18-4
ii  perl [libmime-base64-perl]  5.18.2-2+b1
ii  psmisc                      22.21-1

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.26.dfsg1-9

Versions of packages slapd suggests:
ii  ldap-utils  2.4.39-1

-- debconf information:
  slapd/move_old_database: true
  slapd/dump_database: when needed
  slapd/no_configuration: false
  slapd/backend: HDB
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/upgrade_slapcat_failure:
  slapd/purge_database: false
  slapd/password_mismatch:
  shared/organization: guilhem.org
  slapd/domain: guilhem.org
  slapd/invalid_config: true
  slapd/allow_ldap_v2: false
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20140318/d463a2b8/attachment.sig>

More information about the Pkg-openldap-devel mailing list