From b2d89e08d03d6f50ee68bc0f07bafd2acb184575 Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Thu, 7 Mar 2019 18:04:46 -0600
Subject: [PATCH] Fix access to ldap configuration files on non-controller
 (workstation) systems

---
 src/libtdeldap.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index bf744dc..c217398 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -3375,9 +3375,19 @@ int LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole mac
 
 	delete systemconfig;
 
-	if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {
-		if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");
-		return -1;
+	if ((machineRole == ROLE_PRIMARY_REALM_CONTROLLER) || (machineRole == ROLE_SECONDARY_REALM_CONTROLLER)) {
+		// The file may contain multi-master replication secrets, therefore only root should be able to read it
+		if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {
+			if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");
+			return -1;
+		}
+	}
+	else {
+		// Normal users should be allowed to read realm configuration data in order to launch realm administration utilities
+		if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+			if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");
+			return -1;
+		}
 	}
 
 	return 0;