openldap2/slapd.service

[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/usr/lib/openldap/start

# Hardening to prevent security escalation.
## Future hardening for FS protection.
# ProtectSystem=full
# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap

RestrictSUIDSGID=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
Accepting request 354705 from home:stroeder:branches:network:ldap Compared to my obsoleted request #339745: 1. sysconfdir now correctly is /etc/openldap 2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed) 3. added Recommends: cyrus-sasl 4. replaced README.dynamic-overlays by README.module-loading with updated text 5. added patch for OpenLDAP ITS#8336 OBS-URL: https://build.opensuse.org/request/show/354705 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146 2016-01-21 14:36:42 +01:00			`[Unit]`
			`Description=OpenLDAP Server Daemon`
			`After=syslog.target network.target`

			`[Service]`
			`Type=forking`
			`ExecStart=/usr/lib/openldap/start`

Accepting request 1031422 from home:firstyear:branches:network:ldap - bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user to privilege escalate to root due to unbound chown commands. OBS-URL: https://build.opensuse.org/request/show/1031422 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=307 2022-10-27 03:27:25 +02:00			`# Hardening to prevent security escalation.`
			`## Future hardening for FS protection.`
			`# ProtectSystem=full`
			`# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap`

			`RestrictSUIDSGID=true`
			`NoNewPrivileges=true`
			`PrivateTmp=true`
			`PrivateDevices=true`
			`ProtectHostname=true`
			`ProtectClock=true`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectKernelLogs=true`
			`ProtectControlGroups=true`
			`MemoryDenyWriteExecute=true`

Accepting request 354705 from home:stroeder:branches:network:ldap Compared to my obsoleted request #339745: 1. sysconfdir now correctly is /etc/openldap 2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed) 3. added Recommends: cyrus-sasl 4. replaced README.dynamic-overlays by README.module-loading with updated text 5. added patch for OpenLDAP ITS#8336 OBS-URL: https://build.opensuse.org/request/show/354705 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146 2016-01-21 14:36:42 +01:00			`[Install]`
			`WantedBy=multi-user.target`