[Date Prev][Date Next] [Chronological] [Thread] [Top]

acls for mirrormode user and its clear text passwords

I have a multimaster system running behind a back_ldap proxy and all is
running fine except for the fact that the mirrormode user specified in
syncrepl section can only specify its password as cleartext or use sasl
authentication. I'm not so worried about the clear text password being
seen because all connections are via tls. But, if anyone binds,
including anonymous users, that password is visible to them which
scares me because the mirrormode user has write access to the entire
tree. My first course of action was to set acls as write to mirrormode
user and none to everyone else but no matter what I do, replication
between the two servers breaks because it seems as soon as an acl is
defined, mirrormode user no longer has permissions. Am I fundamentally
missing something here with the visible clear text password? Or am I
just not doing the acls right? Below is an example of what I surely 
thought would work at a (very minimal level).

access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
     by anonymous none

doesn't work. Even:

access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
     by self write

gives me no love either. If you need the entire acl I can provide it
but I'm guessing I missing something much more obvious.