[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication with "credential={crypt}xxxxxx"?

Susanne Benkert wrote:
> Pierangelo Masarati wrote:
> > You can't crypt credentials at the client side, because
> > the server expects clear text creds; one way to improve
> > security is to encrypt the channel that's used to exchange
> > credentials; see slapd.conf(5): "tls=yes" or "tls=critical"
> > in the replica line forces the connection to be secured by
> > ssl (you need both slave and master compiled with tls
> > support, ald slave configured to accept tls). You can also
> > use "saslmech=..." but I've never tried it so I can't help
> > you.
> Hi,
> thank you for your answer, but what you suggest doesn't really solve my
> basic problem:
> As I wrote in my first message, I'm already using tsl for replication
> connection. But I don't like to put a password which gives
> writing-permissions on the whole openldap tree as clear text in a file
> like slapd.conf. Even if I use different rootdns on master and slave,
> the rootdn on the slave has full "write and read" access to the ldap
> tree at this server! I would feel much better if the
> replica-bind-password could be encrypted like the others (e.g. rootpw).
> If this isn't supported yet, in my opinion it should be for later
> versions. (Or are there any reasons against it?)

I understand your point; but there's no solution: "rootpw" is a
password at the __SERVER__ side, so it can be encrypted from
the beginning, while "credentials" is a passowrd at the __CLIENT__
side, so it cannot be encrypted.  The only way I see not to provide
a cleartext password at the client side is kerberos, i.e. sasl with 
gssapi.  I see that some applications (sendmail and more) exploit
the unix filesystem security layer allowing to store cleartext ldap
credentials in a separate file that is read when the process starts;
in principle the same could be done with slapd, so the password 
file needs be readable by the user that runs slapd, while slapd.conf
might be readable by someone else.  There's no such provision for
replica credentials, but you may add it yourself.  Note that this
does not really solve any security problem, while it may pose 
severe administration issues in keeping things in sync.


Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
via La Masa 34, 20156 Milano, Italy   |