Re: Problem when replication is configured with crypted password

["Pierangelo Masarati" <ando@sys-net.it>]

> On Fri, 24 Mar 2006, Sven Pfeifer wrote:
>
>> I have no problems in replication. So my question is: Can I use a
>> crypted
>> password-String in the credentials= or not?
>> Any hints on how to fix it are welcome.
>
> Not. You can fix it the way you indicated.
>
>
> When you're setting "credentials=", you can think of it being "the same"
> as entering in a password at a password prompt. One of the main points of
> one-way crypted passwords (in theory; weak crypto being a notable
> exception) is that they can't be entered at that prompt nor can they be
> derived to be entered at that prompt. So your config example can't work in
> theory and therefore can't work in practice.
>
> The opposite applies for the directives that are *checked*. An example of
> this in slapd.conf(5) is "rootpw" directive. These can be hashed if
> desired.

I think we should add a check: if the "credentials" field starts with a
known hashing, a warning should be issued; if it starts with "{" and
contains "}" a different warning should be used.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------