Note that the directory containing the replogfile as well as

the slurpd temporary directory should have limited read/write/execute
access.

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 92da56e3b61bbd1944b9b43fe66aa5cac449c5dd..d7b20945f9065ea4e1bb7f654226ec937b1b1291 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -536,7 +536,9 @@ and read by
 .BR slurpd (8).
 See
 .BR slapd.replog (5)
-for more information.
+for more information.  The specified file should be located
+in a directory with limited read/write/execute access as the replication
+logs may contain sensitive information.
 .TP
 .B rootdn <dn>
 Specify the distinguished name that is not subject to access control 

diff --git a/doc/man/man8/slurpd.8 b/doc/man/man8/slurpd.8
index 1ea989a946fddef8fcb94c98f7a0ba41ed508b16..4323970700bc434e02f1dbb101ee69d3be3494ee 100644 (file)
--- a/doc/man/man8/slurpd.8
+++ b/doc/man/man8/slurpd.8
@@ -82,7 +82,8 @@ Specifies the name of the
 replication logfile.  Normally, the name
 of the replication log file is read from the 
 .B slapd
-configuration file.
+configuration file.  The file should be located in a directory
+with limited read/write/execute access.
 The
 .B \-r
 option allows you to override this.  In conjunction with the
@@ -107,6 +108,8 @@ processes a replication log and exits.
 .BI \-t " temp\-dir"
 .B slurpd
 copies the replication log to a working directory before processing it.
+The directory permissions should limit read/write/execute access as
+temporary files may contain sensitive information.
 This option allows you to specify the location of these temporary files. 
 The default is
 .BR LOCALSTATEDIR/openldap-slurp .