On Sat, 21 Apr 2007, Quanah Gibson-Mount wrote: ...
It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf.
Is SASL the only sensible way to go here, security-wise?
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
Of course, the credentials are still on the machine, just in a separate, multikilobyte file. While that's less likely to be accidentally observed (unlike a password that can be read over the shoulder of a sysadmin), it may be more difficult (or just more work) to revoke if it is stolen than a simple password. If you go this route, I would suggest that you test and document locally the procedure for adding host2's cert to the CRL on host1.
Philip Guenther Sendmail, Inc.