[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication with "credential={crypt}xxxxxx"?

Pierangelo Masarati wrote:

You can't crypt credentials at the client side, because
the server expects clear text creds; one way to improve
security is to encrypt the channel that's used to exchange
credentials; see slapd.conf(5): "tls=yes" or "tls=critical"
in the replica line forces the connection to be secured by
ssl (you need both slave and master compiled with tls support, ald slave configured to accept tls). You can also
use "saslmech=..." but I've never tried it so I can't help


thank you for your answer, but what you suggest doesn't really solve my basic problem:

As I wrote in my first message, I'm already using tsl for replication connection. But I don't like to put a password which gives writing-permissions on the whole openldap tree as clear text in a file like slapd.conf. Even if I use different rootdns on master and slave, the rootdn on the slave has full "write and read" access to the ldap tree at this server! I would feel much better if the replica-bind-password could be encrypted like the others (e.g. rootpw).

If this isn't supported yet, in my opinion it should be for later versions. (Or are there any reasons against it?)