[Date Prev][Date Next] [Chronological] [Thread] [Top]

Best practise for syncrepl security & latency?

To: openldap-software@openldap.org
Subject: Best practise for syncrepl security & latency?
From: Kari Mattsson <kari@trivore.com>
Date: Sat, 21 Apr 2007 23:08:46 +0300
Organization: Trivore Corp.
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Hola!

I have this situation at hand, and would like to solve it proper way.
It appears finding this kind of information on OpenLDAP is hard to come by.

Host1 holds master OpenLDAP DIT.
Host2 holds full syncrepl replicated read-only copy of the same DIT.

Replication latency should be minimised. 30 seconds is ok, tough.

Host1's slapd.conf contains lines like:
overlay syncprov
syncprov-checkpoint 1 1
syncprov-sessionlog 100

Host2's slapd.conf contains line:
syncrepl rid=10
  provider=ldap://HOST1:389
  starttls=critical
  type refreshAndPersist
  interval=00:00:00:29
  binddn="cn=replicator,dc=BASENAME"
  credentials="secret_password"
  bindmethod=simple
  searchbase="dc=BASENAME"

It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf.

Any comments on the Host1's values would be valuable.
Same goes for Host2's values.

Is SASL the only sensible way to go here, security-wise?

//Kari

Follow-Ups:
- Re: Best practise for syncrepl security & latency?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Syncrepl logging question
Next by Date: Re: Replication failure after error fixed
Index(es):
- Chronological
- Thread