Re: Configure replication without a plaintext password.
Thank you for sharing the test case, SASL/EXTERNAL is working.
RE: Configure replication without a plaintext password.
Thank you, it is working by enabling bindmethod=sasl and saslmech=external in olcSyncrepl configuration.
Re: Configure replication without a plaintext password.
--On Friday, March 8, 2024 5:42 PM + mbala...@opentext.com wrote:
How to configure olcSyncrepl without a plaintext password? I tried using
credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOW
hsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?
You will need to use a passwordless SASL mechanism, as others have noted.
If you peruse the test suite, you will see that test068-sasl-tls-external
configures SASL/EXTERNAL certificate authentication in an OpenLDAP server.
I use SASL/EXTERNAL certificate authentication in my replication setup.
Regards,
Quanah
RE: Configure replication without a plaintext password.
Hi mbalakri, May I politely suggest that you try it yourself and see? Chris Paul | https://www.rexconsulting.net > -Original Message- > From: mbala...@opentext.com > Sent: Friday, March 8, 2024 10:56 AM > To: openldap-technical@openldap.org > Subject: Re: Configure replication without a plaintext password. > > Christopher Paul, > https://www.openldap.org/faq/data/cache/1504.html, are you talking about > this configuration?
Re: Configure replication without a plaintext password.
Christopher Paul, https://www.openldap.org/faq/data/cache/1504.html, are you talking about this configuration?
Re: Configure replication without a plaintext password.
Using X.509 (sasl external) is super easy (once you figure it out, like a lot of this stuff), and is nice because you are not relying on a KDC, and no passwords need displayed in your syncrepl configs. From: brendan kearney Sent: Friday, March 8, 2024 10:09 AM To: Ben Poliakoff Cc: mbala...@opentext.com ; openldap-technical@openldap.org Subject: Re: Configure replication without a plaintext password. Ben, I would like to use GSSAPI for my replication. Would you be willing to share how you went about it? Thanks, Brendan
Re: Configure replication without a plaintext password.
Ben,
I would like to use GSSAPI for my replication. Would you be willing to
share how you went about it?
Thanks,
Brendan
On Fri, Mar 8, 2024, 1:05 PM Ben Poliakoff wrote:
> You definitely won't be able to use a password hash as a credential for
> syncrepl. A hash is a one way function so you can't readily drive the
> password from it (except via exhaustive brute force).
>
> To avoid storing a clear text password in your config, you'll need to use
> another mechanism such as GSSAPI. That's what I use in my installations.
> x509 certificates/keys might be another option.
>
> All of the options are more complicated that using a plain text password,
> but they're also bit more secure.
>
> Ben
>
> On Fri, Mar 8, 2024, 9:43 AM wrote:
>
>> How to configure olcSyncrepl without a plaintext password? I tried using
>> credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw=="
>> format. Does olcSyncrepl accepts password in {SSHA256} format?
>>
>
Re: Configure replication without a plaintext password.
You definitely won't be able to use a password hash as a credential for
syncrepl. A hash is a one way function so you can't readily drive the
password from it (except via exhaustive brute force).
To avoid storing a clear text password in your config, you'll need to use
another mechanism such as GSSAPI. That's what I use in my installations.
x509 certificates/keys might be another option.
All of the options are more complicated that using a plain text password,
but they're also bit more secure.
Ben
On Fri, Mar 8, 2024, 9:43 AM wrote:
> How to configure olcSyncrepl without a plaintext password? I tried using
> credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw=="
> format. Does olcSyncrepl accepts password in {SSHA256} format?
>
