[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: çå: çå: ååï mirror mode question

To: çæç <tiangexuan@sinap.ac.cn>
Subject: Re: çå: çå: ååï mirror mode question
From: Christian Kratzer <ck-lists@cksoft.de>
Date: Wed, 9 Apr 2014 09:21:24 +0200 (CEST)
Cc: 'Dieter KlÃnter' <dieter@dkluenter.de>, openldap-technical@openldap.org
In-reply-to: <001901cf53b9$dbfed580$93fc8080$@sinap.ac.cn>
References: <tencent_0D0FBAC623DE6E942CAF7A02@qq.com> <000601cf52f2$15629820$4027c860$@sinap.ac.cn> <20140408102504.12e7e972@pink.avci.de> <000d01cf538e$bea72440$3bf56cc0$@sinap.ac.cn> <alpine.BSF.2.00.1404090743570.52971@pohjola.cksoft.de> <001901cf53b9$dbfed580$93fc8080$@sinap.ac.cn>
User-agent: Alpine 2.00 (BSF 1167 2008-08-23)

Hi,

On Wed, 9 Apr 2014, çæç wrote:

Hi Christian,



        Thank you very much~:)

        Can I understand I should change my config as below?

<snipp/>

rootpw          {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR

<snipp/>

syncrepl  rid=001

         provider=ldap://other side ip

         bindmethod=simple

         binddn="cn=manager,dc=xxx,dc=xxx"

         credentials=sillypassword


yes above is the idea.  You can hash the rootpw but your replication partners will of course need the cleartext password so they can authenticte.

Use slappasswd to generate the hash from your own secret password.

If yes, I have a question, other people can see my rootpw, this is not safe, isnât it ?


Other people cannot decode the password from the hash. So you rootpw is safe on the provider node.

There is now way to secure the credentials on the consumer node as it will have to know the password in order to authenticate.  Take a moment to think about how having a hashed password on the consumer would allow it to authenticate.  And if it would how would that stop somebody from grabbing the hashed password and using it if that would work.

If you do not like to have cleartext credentials you could of course use SASL method=external with client certificates as has been suggested before.  You could then have a configuration without any cleartext passwords. But of course you would need to have the client certifcate and corresponding private key on the consumer node.  In that case this could be stolen.

Using a separate dn or client certificates for the replication user is good practice so you can limit the respective privileges to read only.

You could even use an acl to further limit client ip address from where the consumers can connect.

Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

References:
- çå: ååï mirror mode question
  - From: çæç <tiangexuan@sinap.ac.cn>
- Re: ååï mirror mode question
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- çå: ååï mirror mode question
  - From: çæç <tiangexuan@sinap.ac.cn>
- Re: çå: ååï mirror mode question
  - From: Christian Kratzer <ck-lists@cksoft.de>
- çå: çå: ååï mirror mode question
  - From: çæç <tiangexuan@sinap.ac.cn>

Prev by Date: çå: çå: ååï mirror mode question
Next by Date: Checking client certificates against CRLs
Index(es):
- Chronological
- Thread