Re: 2.4.22 mirrormode syncrepl credential password encryption

Tue, 13 Jul 2010 00:58:42 -0700 

Hi,

Although I use cn=config instead of slapd.conf, my setup is similar.
I've created one user (e.g. cn=replicator) with global read access.
Created a certificate (and private key) for that user and mapped it to
the user via:

olcAuthzRegexp: {0}"cn=certificate data comes here" "cn=replicator"

then my replica line looks like this:

olcSyncrepl: {0}rid=001 provider=ldap://firstserver bindmethod=sasl
saslmech=external
 authcid="cn=certificate data comes here" starttls=critical
tls_cert=/path/to/the/cert
 tls_key=/path/to/the/privatekey tls_cacert=/path/to/the/cacert
tls_reqcert=demand searchbase=
  "dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1


> Hi,
>
> I have version 2.4.22 running with mirrormode enabled and it is
> working well.
>
> I have a question regarding the credentials field in the syncrepl part
> in slapd.conf.
>
> Must this be cleartext or can it be encrypted and what is considered
> good practise
> regarding which binddn to use.  (e.g. should I create a user with
> cleartext password
> specifically for replication?)
>
> Up to now I have used the same binddn as my rootdn but I can only get
> this to work
> with a cleartext password and I don't want to have my rootpw as
> cleartext in slapd.conf.
>
> Here is my current slapd.conf snippet
>
> database        bdb
> suffix          "dc=example,dc=com"
> rootdn          "cn=Manager,dc=example,dc=com"
> moduleload      syncprov
>
> overlay syncprov
> syncprov-checkpoint 1 1
> syncprov-sessionlog 100
>
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw          secret
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       /var/lib/ldap
> # Indices to maintain
> index   objectClass     eq
>
> syncrepl rid=123
>   provider=ldap://server:389
>   type=refreshAndPersist
>   retry="5 5 300 +"
>   searchbase="dc=example,dc=com"
>   attrs="*,+"
>   bindmethod=simple
>   binddn="cn=Manager,dc=uniscope,dc=jp"
>   credentials=secret
>
> mirrormode on
>
>
> Any help would be appreciated.  Thanks.
>
> ------------------------------------------------------------------------
> Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign
> up now. <https://signup.live.com/signup.aspx?id=60969>

Reply via email to