[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Best practise for syncrepl security & latency?



Quanah Gibson-Mount wrote:
--On Saturday, April 21, 2007 11:08 PM +0300 Kari Mattsson <kari@trivore.com> wrote:

Hola!

I have this situation at hand, and would like to solve it proper way.
It appears finding this kind of information on OpenLDAP is hard to come
by.

Host1 holds master OpenLDAP DIT.
Host2 holds full syncrepl replicated read-only copy of the same DIT.

Replication latency should be minimised. 30 seconds is ok, tough.

Host1's slapd.conf contains lines like:
overlay syncprov
syncprov-checkpoint 1 1
syncprov-sessionlog 100

Host2's slapd.conf contains line:
syncrepl rid=10
   provider=ldap://HOST1:389
   starttls=critical
   type refreshAndPersist
   interval=00:00:00:29
   binddn="cn=replicator,dc=BASENAME"
   credentials="secret_password"
   bindmethod=simple
   searchbase="dc=BASENAME"

It seems to work ok, but I don't like the idea of having plain text
password on the Host2's slapd.conf.

Any comments on the Host1's values would be valuable.
Same goes for Host2's values.

Is SASL the only sensible way to go here, security-wise?

You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.

Yes, thanks. So it seems. I went to the manual page. I wuld like to note, that there is an somewhat misleading error on page <http://www.openldap.org/faq/data/cache/1117.html> in the example. On the explanation below, the text is correct.


On the subject matter, I'll go for SASL.  Thanks!

--Quanah