[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Encrypting replication credentials in replica directive (ITS#299)
At 01:07 AM 9/22/99 GMT, trevor@pocketscience.com wrote:
>Full_Name: Trevor Porter
>Version: 1.2.7
>OS: Solaris 2.6 x86
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (209.24.64.3)
>
>
>It should be possible to encrypt a password used in a replica directive similar
>to
>the rootpw directive, otherwise a password must be exposed in the clear in
>slapd.conf.
>
>For example, slapd.conf could contain:
>
>replica host=replica
> binddn="cn=Replicator, o=U of M, c=US
> bindmethod=simple credentials={crypt}zFYcu4MQ4G.Rs
>
>instead of:
>
>replica host=replica
> binddn="cn=Replicator, o=U of M, c=US
> bindmethod=simple credentials=secret
>
>Am I missing something, or is this not possible?
The clear text password is needed so that the slurpd (which reads
the replogs) can perform the simple bind. Though one could
rewrite slurpd (and ldapmodify) to obtain the clear text password
from another location, there is little point. The password
would still be in clear text.
Note also that even though your rootpw is in cleartext it is not
wise to expose it to non-system administrators. Anybody with
half a brain can break the encryption in relatively short order.
You should keep all slapd configuration files, database directories/files,
logs (including replog, debugging, and syslogging) under system manager
only access.
{crypt},{md5},{sha1} are really not much better than cleartext
http://search.ietf.org/internet-drafts/draft-ietf-saag-aes-ciph-00.txt
You easily implement base64 credentials and get about as much obsucity
as crypt and have something the slurpd/ldapmodify can easily decode.
Of course, the real solution is not to use simple bind. The only
alternative at the moment is Kerberos. With OpenLDAP 2.x, additional
bind mechanisms will become available which will better address this
issue.
Kurt