[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication 'credentials'

To: guenther+ldapsoft@sendmail.com (Philip Guenther)
Subject: Re: OpenLDAP replication 'credentials'
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Thu, 8 May 2008 05:34:49 +0200
Cc: openldap-software@openldap.org, Michael Ströder <michael@stroeder.com>
In-reply-to: <alpine.BSO.1.00.0805071338570.31308@vanye.mho.net>
User-agent: MacSOUP/2.7 (unregistered for 474 days)

Philip Guenther <guenther+ldapsoft@sendmail.com> wrote:

> In both cases--setups using passwords and setups using TLS client 
> certs--the one end has enough info to verify authentications (but not to
> forge them) while the other has a file that contains enough data to 
> generate (and forge) authentications.  The name of the file containing
> that data is different, and the size of that data is different, but if you
> can read that file, you can forge connections.

Yes, but if you can read the replica private key, this basically means
that you have a shell access as the slapd pseudo-user on the replica. If
you have this, then you can also trace slapd and extract whatever you
want, reconfigure it to modify ACL, or just directly dump the replicated
databases.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

References:
- Re: OpenLDAP replication 'credentials'
  - From: Philip Guenther <guenther+ldapsoft@sendmail.com>

Prev by Date: Re: slapo-rwm and rewriteRules
Next by Date: Re: Migrating from 2.3 to 2.4 branch.
Index(es):
- Chronological
- Thread