[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acls for mirrormode user and its clear text passwords
I figured this out. The problem was I didn't have the entry 'anonymous
auth' in the clause.
>I have a multimaster system running behind a back_ldap proxy and all
>is?
>running fine except for the fact that the mirrormode user specified in
>syncrepl section can only specify its password as cleartext or use sasl
>authentication. I'm not so worried about the clear text password being
>seen because all connections are via tls. But, if anyone binds,
>including anonymous users, that password is visible to them which
>scares me because the mirrormode user has write access to the entire
>tree. My first course of action was to set acls as write to mirrormode
>user and none to everyone else but no matter what I do, replication
>between the two servers breaks because it seems as soon as an acl is
>defined, mirrormode user no longer has permissions. Am I fundamentally
>missing something here with the visible clear text password? Or am I
>just not doing the acls right? Below is an example of what I surely
>thought would work at a (very minimal level).
>
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
> by anonymous none
>
>doesn't work. Even:
>
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
> by self write
>
>gives me no love either. If you need the entire acl I can provide it
>but I'm guessing I missing something much more obvious.
>
>Thanks,
> Tyler