[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ååï mirror mode question

To: openldap-technical@openldap.org
Subject: Re: ååï mirror mode question
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Tue, 8 Apr 2014 10:25:04 +0200
In-reply-to: <000601cf52f2$15629820$4027c860$@sinap.ac.cn>
Organization: AVCI
References: <tencent_0D0FBAC623DE6E942CAF7A02@qq.com> <000601cf52f2$15629820$4027c860$@sinap.ac.cn>

Hi,
If I remeber correctly, you mentioned sasl authentication. My comments
on plaintext passwords are only related to sasl authentication. A sasl
authentication is based on a SASL MECHANISM, as described in rfc-4422.
In order to compare the sasl authentication string with the stored
password value, this has to be cleartext.
If your ldap operation is based on a simple bind, the stored password
can, and should be, hashed.

-Dieter


Am Tue, 8 Apr 2014 14:16:31 +0800
schrieb çæç <tiangexuan@sinap.ac.cn>:

> Hi Michael and Dieter,
> 
>  
> 
>    I see the below mail, can I understand only the mirror mode
> replication canât use the HASH password in rootpw, other Synchronous
> replication mode(example: syncrepl proxy) can use the HASH password?
> 
>  
> 
> Thanks and regards 
> 
> tiangexuan
> 
>  
> 
> ------------------ ååéä ------------------
> 
> åää: "Michael StrÃder";<michael@stroeder.com
> <mailto:michael@stroeder.com> >;
> 
> åéæé: 2014å3æ5æ(ææä) äå4:09
> 
> æää: "Dieter KlÃnter"<dieter@dkluenter.de
> <mailto:dieter@dkluenter.de> >;
> "openldap-technical"<openldap-technical@openldap.org
> <mailto:openldap-technical@openldap.org> >; 
> 
> äé: Re: mirror mode & sasl question
> 
>  
> 
> Dieter KlÃnter wrote:
> > Am Wed, 5 Mar 2014 14:38:04 +0800
> > schrieb "Eileen(=^Ï^=)" <123784635@qq.com <mailto:123784635@qq.com>
> > >:
> >> This is Eileen from China SINAP. I am a beginner for openldap
> >> soft. I encountered a problem in my study on two LDAP services
> >> replication. I have 2 LDAP services, one name LDPA1, the other is
> >> LDAP2 . I want to make them synchronously in mirror mode. But when
> >> I set LDAP services rootpw both in hash, the 2 LDAP serivces canât
> >> be synchronous. My question is 
> >> 1.      if I set my rootpw in hash, my bindmethod must be SASL? If
> >> I must use sasl method, can I put the sasl service in the same ldap
> >> service? If bindmethod=sasl then what is the saslmech should be?
> >> 2.      If I change to sasl method, do I need change my database
> >> record? 
> > 
> > In order to use sasl, passwords must be cleartext and you should
> > configure an apropriate authz-regexp, see man slapd.conf(5)
> > You may use any sasl mechanism that you sasl framework provides.
> > [...]
> 
> To be more precise: In order to use password-based SASL mechs the
> passwords have to be stored in clear-text.
> 
> Well, if working with SASL and TLS (LDAPS, StartTLS) one should
> consider using client certs and SASL/EXTERNAL for replication.
> 
> Ciao, Michael.
> 
> 
> 



-- 
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- çå: ååï mirror mode question
  - From: çæç <tiangexuan@sinap.ac.cn>

References:
- çå: ååï mirror mode question
  - From: çæç <tiangexuan@sinap.ac.cn>

Prev by Date: çå: ååï mirror mode question
Next by Date: Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
Index(es):
- Chronological
- Thread