Hello,
I have used slappasswd -s to create an encrypted rootpw, ie. rootpw {SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV
Can I use this same entry ({SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV) in the replication credentials or do I need to put the unencrypted password instead. ie:
replica credentials="6202f430d9c9a97da8d041946847643f" or replica credentials="{SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV"
Thank you for your time.
Peter Clark
No, you need the unencrypted password. This has been (quite needlessly) debated on the list and likely is in the FAQ as well. One or more of those sources may have alternatives listed if you're so inclined.
You might want to change your rootpw now that you told it to us...
On Tue, 13 Nov 2007, Peter Clark wrote:
Hello,
I have used slappasswd -s to create an encrypted rootpw, ie. rootpw {SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV
Can I use this same entry ({SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV) in the replication credentials or do I need to put the unencrypted password instead. ie:
replica credentials="6202f430d9c9a97da8d041946847643f" or replica credentials="{SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV"
Thank you for your time.
Peter Clark
Heh, thanks for the warning about the rootpw. I used an example of one from the internet. :)
If you cannot supply an encrypted password in the credentials= field and you have both the rootpw= and credentials= visible in the slapd.conf does it serve any purpose for encrypting the rootpw in the slapd.conf? Or is there another purpose to encrypting it other than to stop someone from parsing the file and getting it?
I hope that makes sense.
Thanks again, Peter Clark
Aaron Richton wrote:
No, you need the unencrypted password. This has been (quite needlessly) debated on the list and likely is in the FAQ as well. One or more of those sources may have alternatives listed if you're so inclined.
You might want to change your rootpw now that you told it to us...
On Tue, 13 Nov 2007, Peter Clark wrote:
Hello,
I have used slappasswd -s to create an encrypted rootpw, ie. rootpw {SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV
Can I use this same entry ({SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV) in the replication credentials or do I need to put the unencrypted password instead. ie:
replica credentials="6202f430d9c9a97da8d041946847643f" or replica credentials="{SSHA}Rwilfur49jrtPsw7dJJPp5RBoX2f+gHV"
Thank you for your time.
Peter Clark
I don't think you gain any special advantages by encrypting (or not) in a slapd.conf context versus any other encryption application. Like most password encryption, it largely boils down to speed bumps in the face of a preexisting access vector.
Keep in mind that you can run slapd(8) entirely without a rootdn/rootpw, either by initializing your directory with slapadd(8) offline or by setting a rootpw for some short period of time and then removing it once a sufficiently populated DIT is present to allow the desired access rules. In this case the only thing you lose is the ability to override ACLs. Many sites do not want such an ability, and purposefully keep off rootdn toward that goal.
On Tue, 13 Nov 2007, Peter Clark wrote:
Heh, thanks for the warning about the rootpw. I used an example of one from the internet. :)
If you cannot supply an encrypted password in the credentials= field and you have both the rootpw= and credentials= visible in the slapd.conf does it serve any purpose for encrypting the rootpw in the slapd.conf? Or is there another purpose to encrypting it other than to stop someone from parsing the file and getting it?
I hope that makes sense.
Thanks again, Peter Clark
Aaron Richton wrote:
I don't think you gain any special advantages by encrypting (or not) in a slapd.conf context versus any other encryption application. Like most password encryption, it largely boils down to speed bumps in the face of a preexisting access vector.
I think the more direct answer is "this is why the docs tell you to use a different identity and password for the replication account."
On Tue, 13 Nov 2007, Peter Clark wrote:
Heh, thanks for the warning about the rootpw. I used an example of one from the internet. :)
If you cannot supply an encrypted password in the credentials= field and you have both the rootpw= and credentials= visible in the slapd.conf does it serve any purpose for encrypting the rootpw in the slapd.conf? Or is there another purpose to encrypting it other than to stop someone from parsing the file and getting it?
I hope that makes sense.
openldap-software@openldap.org