[Fedora-directory-devel] Please review: Bug 243205: allow instance creation with no .inf file; allow pre-hashed RootDNPwd

Richard Megginson rmeggins at redhat.com
Thu Jun 7 21:53:13 UTC 2007 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243205
Resolves: bug 243205
Bug Description: allow instance creation with no .inf file; allow 
pre-hashed RootDNPwd
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: You can now use ds_newinst.pl without (or with) a .inf 
file like this:
  ds_newinst.pl General.SuiteSpotUserID=nobody slapd.ServerPort=3890 ....
The parameters can be supplied via the command line.  The format of the 
parameter is section.param=value.  Normal shell quoting rules apply, so 
you still have to do something like this:
  ds_newinst.pl "slapd.Suffix=dc=example, dc=com"
for embedded spaces and the like.  If you supply a filename (or '-'), it 
must be the first argument after ds_newinst.pl.  If you then supply 
additional arguments after the filename, these will override the 
settings in the given inf file.  So, for example, you could reuse the 
same .inf file, except provide a different hostname:
  ds_newinst.pl basefile.inf General.FullMachineName=bar.example.com
This allows you to use the same base .inf file for several machines, and 
only change certain parameters on a per-machine basis.
ds_newinst.pl will now fill in some default values - it will use 
Net::Domain::hostfqdn for FullMachineName, and your login ID for 
SuiteSpotUserID (however, not if running ds_newinst.pl as root), and 
will construct the Suffix and ServerIdentifier based on the 
FullMachineName.  RootDN will default to cn=Directory Manager.  
ServerRoot is no longer required.
Another enhancement is the ability to provide a pre-hashed password for 
the RootDNPwd parameter, to avoid having to pass around the clear text 
directory manager password.  However, some caveats apply.  If the 
password begins with one of the well known hash algorithms (e.g. {SHA, 
{SSHA, etc.), ds_newinst will assume it is already hashed.  This may 
cause problems if users expect to be able to provide a clear text 
password such as {SSHA}text, but I seriously doubt anyone does that 
(famous last words . . .).  Another problem is that the code as it 
currently stands uses the clear text password to bind to the server 
after starting the server to add some additional entries and ACIs.  This 
cannot be done if a pre-hashed password is provided (but we're working 
on a solution to that problem too).
write_ldap_info() is no longer needed.
Finally, a couple of minor bug fixes.
Platforms tested: RHEL4
Flag Day: no
Doc impact: Yes.  There will be some documentation changes required.
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=156518&action=diff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20070607/997919d3/attachment.bin

More information about the 389-devel mailing list