Onno van der Straaten wrote:
> Second corruption in one day. Trying to add module using ldif
>
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/lib64/openldap/
> olcModuleLoad: slapd-sha2.so
>
> As it was not working correctly I tried to remove this module. This is not
> implemented!!! You can delete a module once it is added.
>
> I created a backup file of this config file. When manual edit failed, I
> moved the backup file back in. This is the result
> [user@server cn=config]# service slapd configtest
> Checking configuration files for slapd: [FAILED]
> 54758693 ldif_read_file: Permission denied for
> "/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif"
> slaptest: bad configuration file!
Most likely you're working as root and slapd is running as non-root user. If
you manually modified back-config's files you should check ownership/permissions.
> I know I can use other directory servers. But I also think that the
> OpenLDAP community should not claim to offer good encryption of password
> when out-of-the-bot you get NO encryption and you have to first become an
> OpenLDAP core developer to get this good encryption.
Personally I currently would not use slapd-sha2.so because SHA-2 hashes are
optimizied for performance.
You could use a stronger {CRYPT} schema (not the default!).
E.g. I have in slapd.conf (static config):
password-hash {CRYPT}
password-crypt-salt-format "$6$%.12s"
Make sure you understand crypt hash schemes in man-page crypt(3).
The caveat is that {CRYPT} is not really platform-independent.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature