Re: Encrypting replication password

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Wed, Oct 02, 2002 at 11:28:04AM -0400, James Shvarts wrote:
> 
> is it possible to encrypt the password (credentials) of the replica in 
> master's slapd.conf. if i don't use the clear text but instead encrypt it 
> with sbin/slappaswd, the slurpd is not able to connect to the slave. i am 
> using openldap-2.1.3, btw

No - the master machine has to know the password so that it can use it
to authenticate to the slave machine. The password has to be stored in
clear, or it has to be encrypted using a key that is stored in clear
(which just adds complexity without adding security).

slapd.conf should be readable *only* by the user that slapd runs as.
This is commonly root on Unix systems, but it can be any user created
for the purpose. Running as a non-root user gives added protection in
the event that slapd itself is compromised, so it is generally a good
idea. You may still want to start the daemon as root though, so that
it can bind to port 389 before switching to the other user-id.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------