[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Best practise for syncrepl security & latency?

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: Best practise for syncrepl security & latency?
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Sat, 21 Apr 2007 22:03:25 -0600
Cc: OpenLDAP software <openldap-software@openldap.org>, Kari Mattsson <kari@trivore.com>
In-reply-to: <F6DA8C32F3A298C353F37163@SW-90-717-287-3.stanford.edu>
References: <462A6F4E.3090905@trivore.com> <F6DA8C32F3A298C353F37163@SW-90-717-287-3.stanford.edu>

On Sat, 21 Apr 2007, Quanah Gibson-Mount wrote:
...

It seems to work ok, but I don't like the idea of having plain text
password on the Host2's slapd.conf.
Is SASL the only sensible way to go here, security-wise?
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.

Of course, the credentials are still on the machine, just in a separate, multikilobyte file. While that's less likely to be accidentally observed (unlike a password that can be read over the shoulder of a sysadmin), it may be more difficult (or just more work) to revoke if it is stolen than a simple password. If you go this route, I would suggest that you test and document locally the procedure for adding host2's cert to the CRL on host1.


Philip Guenther
Sendmail, Inc.

References:
- Best practise for syncrepl security & latency?
  - From: Kari Mattsson <kari@trivore.com>
- Re: Best practise for syncrepl security & latency?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Best practise for syncrepl security & latency?
Next by Date: Re: Best practise for syncrepl security & latency?
Index(es):
- Chronological
- Thread