[Date Prev][Date Next]
Re: ååï mirror mode question
If I remeber correctly, you mentioned sasl authentication. My comments
on plaintext passwords are only related to sasl authentication. A sasl
authentication is based on a SASL MECHANISM, as described in rfc-4422.
In order to compare the sasl authentication string with the stored
password value, this has to be cleartext.
If your ldap operation is based on a simple bind, the stored password
can, and should be, hashed.
Am Tue, 8 Apr 2014 14:16:31 +0800
schrieb çæç <email@example.com>:
> Hi Michael and Dieter,
> I see the below mail, can I understand only the mirror mode
> replication canât use the HASH password in rootpw, other Synchronous
> replication mode(example: syncrepl proxy) can use the HASH password?
> Thanks and regards
> ------------------ ååéä ------------------
> åää: "Michael StrÃder";<firstname.lastname@example.org
> <mailto:email@example.com> >;
> åéæé: 2014å3æ5æ(ææä) äå4:09
> æää: "Dieter KlÃnter"<firstname.lastname@example.org
> <mailto:email@example.com> >;
> <mailto:firstname.lastname@example.org> >;
> äé: Re: mirror mode & sasl question
> Dieter KlÃnter wrote:
> > Am Wed, 5 Mar 2014 14:38:04 +0800
> > schrieb "Eileen(=^Ï^=)" <email@example.com <mailto:firstname.lastname@example.org>
> > >:
> >> This is Eileen from China SINAP. I am a beginner for openldap
> >> soft. I encountered a problem in my study on two LDAP services
> >> replication. I have 2 LDAP services, one name LDPA1, the other is
> >> LDAP2 . I want to make them synchronously in mirror mode. But when
> >> I set LDAP services rootpw both in hash, the 2 LDAP serivces canât
> >> be synchronous. My question is
> >> 1. if I set my rootpw in hash, my bindmethod must be SASL? If
> >> I must use sasl method, can I put the sasl service in the same ldap
> >> service? If bindmethod=sasl then what is the saslmech should be?
> >> 2. If I change to sasl method, do I need change my database
> >> record?
> > In order to use sasl, passwords must be cleartext and you should
> > configure an apropriate authz-regexp, see man slapd.conf(5)
> > You may use any sasl mechanism that you sasl framework provides.
> > [...]
> To be more precise: In order to use password-based SASL mechs the
> passwords have to be stored in clear-text.
> Well, if working with SASL and TLS (LDAPS, StartTLS) one should
> consider using client certs and SASL/EXTERNAL for replication.
> Ciao, Michael.
Dieter KlÃnter | Systemberatung
GPG Key ID: E9ED159B