[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication with "credential={crypt}xxxxxx"?

Susanne Benkert wrote:
> 
> Hi,
> 
> I'm running a master and a slave ldap-server (Openldap-2.0.19.) compiled
> with tls-support. The replication itself works all right and uses tls.
> 
> To improve the level of security I'd like to use a {crypt}-password as
> credentials in my replica-configurations, but this does'nt work. If I
> try, I get the following error message (from debug):
> ....
> Error: ldap_simple_bind_s for <my slave server:389> failed: Invalid
> credentials
> ldap_unbind
> ldap_free_connection
> ....
> 
> With password in clear text it works all right. What did I wrong?
> Is there a solution for my problem or is there no {crypt}-support for
> replica-credentials at all?
> 
> For more information I attached my slapd.conf (master and slave) and a
> part from the debug output.

You can't crypt credentials at the client side, because
the server expects clear text creds; one way to improve
security is to encrypt the channel that's used to exchange
credentials; see slapd.conf(5): "tls=yes" or "tls=critical"
in the replica line forces the connection to be secured by
ssl (you need both slave and master compiled with tls 
support, ald slave configured to accept tls). You can also
use "saslmech=..." but I've never tried it so I can't help
you.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati