Re: replication with "credential={crypt}xxxxxx"?

[Susanne Benkert <benkerts@emt.iis.fhg.de>]

Pierangelo Masarati wrote:


> You can't crypt credentials at the client side, because
> the server expects clear text creds; one way to improve
> security is to encrypt the channel that's used to exchange
> credentials; see slapd.conf(5): "tls=yes" or "tls=critical"
> in the replica line forces the connection to be secured by
> ssl (you need both slave and master compiled with tls 
> support, ald slave configured to accept tls). You can also
> use "saslmech=..." but I've never tried it so I can't help
> you.



Hi,

thank you for your answer, but what you suggest doesn't really solve my 
basic problem:

As I wrote in my first message, I'm already using tsl for replication 
connection. But I don't like to put a password which gives 
writing-permissions on the whole openldap tree as clear text in a file 
like slapd.conf. Even if I use different rootdns on master and slave, 
the rootdn on the slave has full "write and read" access to the ldap 
tree at this server! I would feel much better if the 
replica-bind-password could be encrypted like the others (e.g. rootpw).

If this isn't supported yet, in my opinion it should be for later 
versions. (Or are there any reasons against it?)

Greetings,
Susanne