[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: syncrepl without cleartext password.
- To: Prakash Padadune <prakash.padadune@gmail.com>
- Subject: Re: syncrepl without cleartext password.
- From: Christian Kratzer <ck-lists@cksoft.de>
- Date: Tue, 27 Oct 2015 17:52:01 +0100 (CET)
- Cc: openldap-technical@openldap.org
- In-reply-to: <CAMhj=fFj3s61k336amvAeNveo-Z3ue-kZmEOkYDqCZjz3-Ng9A@mail.gmail.com>
- References: <CAMhj=fFj3s61k336amvAeNveo-Z3ue-kZmEOkYDqCZjz3-Ng9A@mail.gmail.com>
- User-agent: Alpine 2.20 (BSF 67 2015-01-07)
Hi,
On Tue, 27 Oct 2015, Prakash Padadune wrote:
I want to implement syncrepl without having cleartext password in the
slapd.conf.
How this can be achieved?
authenticate using client certificates and sasl_method = external
You will need the private key files on the clients though.
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +"
olcSyncrepl: {1}rid=002 provider=ldap://ldap2.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce
rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +"
then map your certificate identity to an entry in your tree that has appropriate permissions:
olcAuthzRegexp: {0}"cn=([^,]*)," "cn=$1,ou=servers,dc=foo,dc=bar"
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/