Re: replication credentials

[John M Beamon <jbeamon@franklinamerican.com>]

I've had mixed results including encrypted replication passwords.  In 
fact, I've read messages that say you CANNOT encrypt the replication 
credentials.  YMMV.  If you're worried about "anyone who can read the 
slapd.conf file", set its permissions as 0750 root:ldap and trust the 
filesystem.  Nobody's in the ldap group but the ldap user, probably 
created by your package installer.

The details of a secure (TLS) replication environment are plastered all 
over the list archives.  I posted my entire config a couple months ago 
personally.  It's an extremely active subject.  I'd recommend some time 
in the archives to anybody who needs hands-on documentation of a number 
of successful "secure environment" deployments.

-j


Gary LaVoy wrote:
> Is it possible to put an encrypted password in the slapd.conf for the
> replication account? It's doesn't seem to like this statement:
>
>
> replica         host=replicahost.apple.com:389
>                 binddn="cn=replicator,o=Apple Computer"
>                 bindmethod=simple
>                 credentials={SSHA}qn1ASsCqSO4wUbZPRmgUc0e3eZgbACdE
>
> and putting a clear text password in means that I expose an account that
> basically has manager access to anyone who can read the slapd.conf file. So in
> that case I might as well use the manager account for replication itself.
>
> so what is the recommended way to set up a reasonably secure replication
> environment?
>
> thanks,
>
> Gary 
> glavoy@apple.com