[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls for mirrormode user and its clear text passwords

I figured this out. The problem was I didn't have the entry 'anonymous
auth' in the clause.

>I have a multimaster system running behind a back_ldap proxy and all
>running fine except for the fact that the mirrormode user specified in
>syncrepl section can only specify its password as cleartext or use sasl
>authentication. I'm not so worried about the clear text password being
>seen because all connections are via tls. But, if anyone binds,
>including anonymous users, that password is visible to them which
>scares me because the mirrormode user has write access to the entire
>tree. My first course of action was to set acls as write to mirrormode
>user and none to everyone else but no matter what I do, replication
>between the two servers breaks because it seems as soon as an acl is
>defined, mirrormode user no longer has permissions. Am I fundamentally
>missing something here with the visible clear text password? Or am I
>just not doing the acls right? Below is an example of what I surely 
>thought would work at a (very minimal level).
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
>     by anonymous none
>doesn't work. Even:
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
>     by self write
>gives me no love either. If you need the entire acl I can provide it
>but I'm guessing I missing something much more obvious.
>    Tyler