On Thursday 07 June 2007 01:24:45 Craig wrote: > I need to create a user (or 2) for replication only, but don't really > know where to put it or which structural class it should be. > > I was thinking about: > dn: uid=Replicator,dc=example,dc=com > objectClass: top > objectClass: account > objectClass: shadowAccount
No need for shadowAccount. > userPassword: <some pw> > uid: Replicator > > This works, but is this really the best way to create "admin accounts"? > > For me, "admin accounts" are accounts used for various tasks related to > server (not necessarily just slapd) maintenance. (Replication is the > only "task" I can think of at the moment.) > > Also, I have the following org unit: > dn: ou=People,dc=example,dc=com > ou: People > objectClass: top > objectClass: organizationalUnit > > I was putting the above DN (cn=Replicator,...) in the root (as opposed > to "ou=People,..."). Does that make sense? Or should I create an ou just > for "admin/misc" accounts? I created two branches in my tree called "ou=System Groups" and "ou=System Accounts". These kind of "users" I put there, and I use the group names in ACLs. > Lastly, is there a way to give a "non-plain text" password for the > syncrel user: > syncrepl rid=123 > ... > bindmethod=simple > binddn="cn=Replicator,dc=example,dc=com" > credentials={SSHA}<encrypted string> > > All of the examples and docs seem to indicate that the credentials > should be the password for the "binddn" in clear text. Yes. Think about it: it's like an user typing his/her password at a login prompt. The openldap server (consumer) is behaving like a regular LDAP client in this context. You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But a secret will always be stored in the machine, be it a password, private key, keytab file, etc. > > TIA! > Craig