Hola!
I have this situation at hand, and would like to solve it proper way. It appears finding this kind of information on OpenLDAP is hard to come by.
Host1 holds master OpenLDAP DIT. Host2 holds full syncrepl replicated read-only copy of the same DIT.
Replication latency should be minimised. 30 seconds is ok, tough.
Host1's slapd.conf contains lines like: overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100
Host2's slapd.conf contains line: syncrepl rid=10 provider=ldap://HOST1:389 starttls=critical type refreshAndPersist interval=00:00:00:29 binddn="cn=replicator,dc=BASENAME" credentials="secret_password" bindmethod=simple searchbase="dc=BASENAME"
It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf.
Any comments on the Host1's values would be valuable. Same goes for Host2's values.
Is SASL the only sensible way to go here, security-wise?
//Kari
--On Saturday, April 21, 2007 11:08 PM +0300 Kari Mattsson kari@trivore.com wrote:
Hola!
I have this situation at hand, and would like to solve it proper way. It appears finding this kind of information on OpenLDAP is hard to come by.
Host1 holds master OpenLDAP DIT. Host2 holds full syncrepl replicated read-only copy of the same DIT.
Replication latency should be minimised. 30 seconds is ok, tough.
Host1's slapd.conf contains lines like: overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100
Host2's slapd.conf contains line: syncrepl rid=10 provider=ldap://HOST1:389 starttls=critical type refreshAndPersist interval=00:00:00:29 binddn="cn=replicator,dc=BASENAME" credentials="secret_password" bindmethod=simple searchbase="dc=BASENAME"
It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf.
Any comments on the Host1's values would be valuable. Same goes for Host2's values.
Is SASL the only sensible way to go here, security-wise?
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Sat, 21 Apr 2007, Quanah Gibson-Mount wrote: ...
It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf.
Is SASL the only sensible way to go here, security-wise?
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
Of course, the credentials are still on the machine, just in a separate, multikilobyte file. While that's less likely to be accidentally observed (unlike a password that can be read over the shoulder of a sysadmin), it may be more difficult (or just more work) to revoke if it is stolen than a simple password. If you go this route, I would suggest that you test and document locally the procedure for adding host2's cert to the CRL on host1.
Philip Guenther Sendmail, Inc.
Quanah Gibson-Mount wrote:
--On Saturday, April 21, 2007 11:08 PM +0300 Kari Mattsson kari@trivore.com wrote:
Hola!
I have this situation at hand, and would like to solve it proper way. It appears finding this kind of information on OpenLDAP is hard to come by.
Host1 holds master OpenLDAP DIT. Host2 holds full syncrepl replicated read-only copy of the same DIT.
Replication latency should be minimised. 30 seconds is ok, tough.
Host1's slapd.conf contains lines like: overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100
Host2's slapd.conf contains line: syncrepl rid=10 provider=ldap://HOST1:389 starttls=critical type refreshAndPersist interval=00:00:00:29 binddn="cn=replicator,dc=BASENAME" credentials="secret_password" bindmethod=simple searchbase="dc=BASENAME"
It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf.
Any comments on the Host1's values would be valuable. Same goes for Host2's values.
Is SASL the only sensible way to go here, security-wise?
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
Yes, thanks. So it seems. I went to the manual page. I wuld like to note, that there is an somewhat misleading error on page http://www.openldap.org/faq/data/cache/1117.html in the example. On the explanation below, the text is correct.
On the subject matter, I'll go for SASL. Thanks!
--Quanah
----- "Kari Mattsson" kari@trivore.com wrote:
Yes, thanks. So it seems. I went to the manual page. I wuld like to note, that there is an somewhat misleading error on page http://www.openldap.org/faq/data/cache/1117.html in the example. On
the explanation below, the text is correct.
Kari,
Thanks for pointing out the FAQ entry that was problematic, I've edited it so it is correct now.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Sunday 22 April 2007, Quanah Gibson-Mount wrote:
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
Are you sure? Howard suggested I use it in his response to ITS #4691 (which, now that I have a failover site again, I may be able to reproduce again to test this).
Regards, Buchan
--On Monday, April 23, 2007 7:00 PM +0200 Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Sunday 22 April 2007, Quanah Gibson-Mount wrote:
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
Are you sure?
Yes. The "interval" parameter only applies when using "refreshOnly".
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Buchan Milne wrote:
On Sunday 22 April 2007, Quanah Gibson-Mount wrote:
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.
Are you sure? Howard suggested I use it in his response to ITS #4691 (which, now that I have a failover site again, I may be able to reproduce again to test this).
I probably missed whether you were using refreshOnly or refreshAndPersist...
openldap-software@openldap.org
-
Buchan Milne -
Howard Chu -
Kari Mattsson -
Philip Guenther -
Quanah Gibson-Mount -
Quanah Gibson-Mount