[Date Prev][Date Next] [Chronological] [Thread] [Top]

ååï mirror mode question



Hi Michael and Dieter,

    Thanks for your kindly replies. 
    In my case, I didn't use any SASL or TLS but "simple" method with operation mode of user/password authenticated. However, I need the rootpw hashed (not cleartext) and the 2 servers (master & slave) synchronized.
    Could you pls advise how i should modify the syncrepl part? or could you pls provide a sample of the slapd.conf file configuration?

Best regards,

Eileen

------------------ ååéä ------------------
åää: "Michael StrÃder";<michael@stroeder.com>;
åéæé: 2014å3æ5æ(ææä) äå4:09
æää: "Dieter KlÃnter"<dieter@dkluenter.de>; "openldap-technical"<openldap-technical@openldap.org>;
äé: Re: mirror mode & sasl question

Dieter KlÃnter wrote:
> Am Wed, 5 Mar 2014 14:38:04 +0800
> schrieb "Eileen(=^Ï^=)" <123784635@qq.com>:
>> This is Eileen from China SINAP. I am a beginner for openldap soft. I
>> encountered a problem in my study on two LDAP services replication.
>> I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want
>> to make them synchronously in mirror mode. But when I set LDAP
>> services rootpw both in hash, the 2 LDAP serivces canât be
>> synchronous. My question is
>> 1.      if I set my rootpw in hash, my bindmethod must be SASL? If I
>> must use sasl method, can I put the sasl service in the same ldap
>> service? If bindmethod=sasl then what is the saslmech should be?
>> 2.      If I change to sasl method, do I need change my database
>> record?
>
> In order to use sasl, passwords must be cleartext and you should
> configure an apropriate authz-regexp, see man slapd.conf(5)
> You may use any sasl mechanism that you sasl framework provides.
> [...]

To be more precise: In order to use password-based SASL mechs the passwords
have to be stored in clear-text.

Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using
client certs and SASL/EXTERNAL for replication.

Ciao, Michael.