[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication credentials

To: OpenLDAP <openldap-software@OpenLDAP.org>
Subject: Re: replication credentials
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 03 Sep 2003 11:41:10 -0700
Content-disposition: inline
In-reply-to: <3F562EFA.6060208@franklinamerican.com>
References: <200309031637.h83GbDsI020955@scv1.apple.com> <3F562EFA.6060208@franklinamerican.com>

--On Wednesday, September 03, 2003 1:12 PM -0500 John M Beamon <jbeamon@franklinamerican.com> wrote:

I've had mixed results including encrypted replication passwords.  In
fact, I've read messages that say you CANNOT encrypt the replication
credentials.  YMMV.  If you're worried about "anyone who can read the
slapd.conf file", set its permissions as 0750 root:ldap and trust the
filesystem.  Nobody's in the ldap group but the ldap user, probably
created by your package installer.

The details of a secure (TLS) replication environment are plastered all
over the list archives.  I posted my entire config a couple months ago
personally.  It's an extremely active subject.  I'd recommend some time
in the archives to anybody who needs hands-on documentation of a number
of successful "secure environment" deployments.

In a Kerberos world, you can simply use a kerberos credential for slurpd to use when replicating -- then no passwords are ever used.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- replication credentials
  - From: glavoy@apple.com (Gary LaVoy)
- Re: replication credentials
  - From: John M Beamon <jbeamon@franklinamerican.com>

Prev by Date: Re: replication credentials
Next by Date: Re: Error - Why?
Index(es):
- Chronological
- Thread