I need to create a user (or 2) for replication only, but don't really know where to put it or which structural class it should be.
I was thinking about: dn: uid=Replicator,dc=example,dc=com objectClass: top objectClass: account objectClass: shadowAccount userPassword: <some pw> uid: Replicator
This works, but is this really the best way to create "admin accounts"?
For me, "admin accounts" are accounts used for various tasks related to server (not necessarily just slapd) maintenance. (Replication is the only "task" I can think of at the moment.)
Also, I have the following org unit: dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit
I was putting the above DN (cn=Replicator,...) in the root (as opposed to "ou=People,..."). Does that make sense? Or should I create an ou just for "admin/misc" accounts?
Lastly, is there a way to give a "non-plain text" password for the syncrel user: syncrepl rid=123 ... bindmethod=simple binddn="cn=Replicator,dc=example,dc=com" credentials={SSHA}<encrypted string>
All of the examples and docs seem to indicate that the credentials should be the password for the "binddn" in clear text.
TIA! Craig
On Thursday 07 June 2007 01:24:45 Craig wrote:
I need to create a user (or 2) for replication only, but don't really know where to put it or which structural class it should be.
I was thinking about: dn: uid=Replicator,dc=example,dc=com objectClass: top objectClass: account objectClass: shadowAccount
No need for shadowAccount.
userPassword: <some pw> uid: ReplicatorThis works, but is this really the best way to create "admin accounts"?
For me, "admin accounts" are accounts used for various tasks related to server (not necessarily just slapd) maintenance. (Replication is the only "task" I can think of at the moment.)
Also, I have the following org unit: dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit
I was putting the above DN (cn=Replicator,...) in the root (as opposed to "ou=People,..."). Does that make sense? Or should I create an ou just for "admin/misc" accounts?
I created two branches in my tree called "ou=System Groups" and "ou=System Accounts". These kind of "users" I put there, and I use the group names in ACLs.
Lastly, is there a way to give a "non-plain text" password for the syncrel user: syncrepl rid=123 ... bindmethod=simple binddn="cn=Replicator,dc=example,dc=com" credentials={SSHA}<encrypted string>
All of the examples and docs seem to indicate that the credentials should be the password for the "binddn" in clear text.
Yes. Think about it: it's like an user typing his/her password at a login prompt. The openldap server (consumer) is behaving like a regular LDAP client in this context.
You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But a secret will always be stored in the machine, be it a password, private key, keytab file, etc.
TIA! Craig
Andreas Hasenack wrote:
No need for shadowAccount.
Where do you put the password? (I don't see any kind of password in the "account" object in cosine.schema.)
I created two branches in my tree called "ou=System Groups" and "ou=System Accounts". These kind of "users" I put there, and I use the group names in ACLs.
Kinda what I was thinking.
Yes. Think about it: it's like an user typing his/her password at a login prompt. The openldap server (consumer) is behaving like a regular LDAP client in this context.
You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But a secret will always be stored in the machine, be it a password, private key, keytab file, etc.
Right. Makes sense. There will be *a* file that needs to be secure. Since the permissions on slapd.conf are 640, that's ok. Just wanted to make sure I wasn't missing something obvious. :)
Thanx so much for the help.
Craig
On Thu, Jun 07, 2007 at 04:07:11PM -0700, Craig wrote:
Andreas Hasenack wrote:
No need for shadowAccount.
Where do you put the password? (I don't see any kind of password in the "account" object in cosine.schema.)
Use the simpleSecurityObject AUX class together with account.
On Jun 7, 2007, at 4:07 PM, Craig wrote:
Andreas Hasenack wrote:
No need for shadowAccount.
Where do you put the password? (I don't see any kind of password in the "account" object in cosine.schema.)
You can add a simpleSecurityObject auxillary objectClass to gain a userPassword field.
openldap-software@openldap.org
-
Andreas Hasenack -
Craig -
Joseph Bruni