Hi, Although I use cn=config instead of slapd.conf, my setup is similar. I've created one user (e.g. cn=replicator) with global read access. Created a certificate (and private key) for that user and mapped it to the user via:
olcAuthzRegexp: {0}"cn=certificate data comes here" "cn=replicator" then my replica line looks like this: olcSyncrepl: {0}rid=001 provider=ldap://firstserver bindmethod=sasl saslmech=external authcid="cn=certificate data comes here" starttls=critical tls_cert=/path/to/the/cert tls_key=/path/to/the/privatekey tls_cacert=/path/to/the/cacert tls_reqcert=demand searchbase= "dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 > Hi, > > I have version 2.4.22 running with mirrormode enabled and it is > working well. > > I have a question regarding the credentials field in the syncrepl part > in slapd.conf. > > Must this be cleartext or can it be encrypted and what is considered > good practise > regarding which binddn to use. (e.g. should I create a user with > cleartext password > specifically for replication?) > > Up to now I have used the same binddn as my rootdn but I can only get > this to work > with a cleartext password and I don't want to have my rootpw as > cleartext in slapd.conf. > > Here is my current slapd.conf snippet > > database bdb > suffix "dc=example,dc=com" > rootdn "cn=Manager,dc=example,dc=com" > moduleload syncprov > > overlay syncprov > syncprov-checkpoint 1 1 > syncprov-sessionlog 100 > > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > rootpw secret > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /var/lib/ldap > # Indices to maintain > index objectClass eq > > syncrepl rid=123 > provider=ldap://server:389 > type=refreshAndPersist > retry="5 5 300 +" > searchbase="dc=example,dc=com" > attrs="*,+" > bindmethod=simple > binddn="cn=Manager,dc=uniscope,dc=jp" > credentials=secret > > mirrormode on > > > Any help would be appreciated. Thanks. > > ------------------------------------------------------------------------ > Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign > up now. <https://signup.live.com/signup.aspx?id=60969>