[Date Prev][Date Next]
Re: OpenLDAP replication 'credentials'
Philip Guenther <email@example.com> wrote:
> In both cases--setups using passwords and setups using TLS client
> certs--the one end has enough info to verify authentications (but not to
> forge them) while the other has a file that contains enough data to
> generate (and forge) authentications. The name of the file containing
> that data is different, and the size of that data is different, but if you
> can read that file, you can forge connections.
Yes, but if you can read the replica private key, this basically means
that you have a shell access as the slapd pseudo-user on the replica. If
you have this, then you can also trace slapd and extract whatever you
want, reconfigure it to modify ACL, or just directly dump the replicated