[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication with "credential={crypt}xxxxxx"?

On Tuesday, 22. January 2002 15:47, Susanne Benkert wrote:
> As I wrote in my first message, I'm already using tsl for replication
> connection. But I don't like to put a password which gives
> writing-permissions on the whole openldap tree as clear text in a file
> like slapd.conf. Even if I use different rootdns on master and slave,
> the rootdn on the slave has full "write and read" access to the ldap
> tree at this server! I would feel much better if the
> replica-bind-password could be encrypted like the others (e.g. rootpw).
> If this isn't supported yet, in my opinion it should be for later
> versions. (Or are there any reasons against it?)


it is a general problem and not solvable by any means. The replication client 
does need the credentials to authenticate. This cannot be a hash value 
because it is not possible to get the password from the hash value (that's 
what hashes are used for). If the hash value was sufficient for 
authentication, the hash value was a credential equivalent. Note: you have 
the same problem if you use e.g. the GSSAPI SASL mechanism. In this case you 
will need your Kerberos credentials in your keytab file.

Stephan Siano

Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn