src/libtdeldap.cpp

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp

index bf744dc..c217398 100644

--- a/src/libtdeldap.cpp

+++ b/src/libtdeldap.cpp

@@ -3375,9 +3375,19 @@

 	delete systemconfig;

-	if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {

-		if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");

-		return -1;

+	if ((machineRole == ROLE_PRIMARY_REALM_CONTROLLER) || (machineRole == ROLE_SECONDARY_REALM_CONTROLLER)) {

+		// The file may contain multi-master replication secrets, therefore only root should be able to read it

+		if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP) < 0) {

+			if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");

+			return -1;

+		}

+	}

+	else {

+		// Normal users should be allowed to read realm configuration data in order to launch realm administration utilities

+		if (chmod(KDE_CONFDIR "/ldap/ldapconfigrc", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {

+			if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(KDE_CONFDIR "/ldap/ldapconfigrc");

+			return -1;

+		}

 	}

 	return 0;