[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: logging into slave ldap server



Nate wrote:
	...I'd like to avoid
	storing the password in the config file in plain text ..

There's no need to have the root password in plain text.
Use splappasswd to generate the encrypted password, and
cut-and-paste it into your slapd.conf.

For example, if your root password is "secret" and you are
using {MD5} as your encryption scheme, you should have
the following line in your slapd.conf (before the database
definitions):

password-hash {MD5}

The slappasswd command is:

/usr/local/sbin/slappasswd -h "{MD5}" -s "secret"

which produces

{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

Now put the line

rootpw	{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

in your database definition in slapd.conf, and there you are.

Of course, this means you must use a different DN for relication,
and there is no way to encrypt that password, but you simply
deny any access to the replication DN on your master.  The password
won't be present in the slave slapd.conf.  So, anyone who gets
the replication password cannot do anything to the master, although
of course they can read records on the slave.

--Chris Robertson
Corinthian Engineering