[Fedora-directory-devel] Re: Please review: Bug 227771: FHS: use sysconfdir (/etc) as config file location

[Howard Chu]

> Date: Fri, 09 Feb 2007 10:37:19 -0700 
 > From: Richard Megginson <rmeggins at redhat.com>

>>> >> Date: Fri, 09 Feb 2007 08:15:11 -0700 
>>> > > From: Richard Megginson <rmeggins at redhat.com>
>>> >> Does Debian forbid cfengine?  webmin?  If you do need to occasionally 
>>> >> edit a config file, do you have to change the permissions on /etc to 
>>> >> read-write, then change it back?
>> >
>> > For a lot of secure installs, yes, this is what's done.
> What does openldap do on those systems when using back-config?  Do you 
> have a symlink from /etc/openldap/config to /var/whatever, so that 
> people looking for some config can find it?

OpenLDAP doesn't really offer any recommendations here. I guess the answer 
depends on what you're trying to isolate.

A couple of Symas customers have deployed CDS using the back-ldap proxy in 
their DMZ as a frontend to their main directory servers (which, at the time, 
were not running on CDS). The motivation was that their servers were 
vulnerable to a number of malformed packet attacks (e.g., they crash 
unpredictably when faced with PROTOS). In these cases, once the configuration 
was created, it could be cast in stone. There's no local state info that 
changes at runtime.

If you actually wanted to run a mostly read-only secure server, but you could 
accept the risk of having a writable config, then yes, symlinking from 
/etc/something to /var/wherever would probably be the approach I would use.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/