Hi, If I remeber correctly, you mentioned sasl authentication. My comments on plaintext passwords are only related to sasl authentication. A sasl authentication is based on a SASL MECHANISM, as described in rfc-4422. In order to compare the sasl authentication string with the stored password value, this has to be cleartext. If your ldap operation is based on a simple bind, the stored password can, and should be, hashed.
-Dieter
Am Tue, 8 Apr 2014 14:16:31 +0800 schrieb 田格瑄 tiangexuan@sinap.ac.cn:
Hi Michael and Dieter,
I see the below mail, can I understand only the mirror mode replication can’t use the HASH password in rootpw, other Synchronous replication mode(example: syncrepl proxy) can use the HASH password?
Thanks and regards
tiangexuan
------------------ 原始邮件 ------------------
发件人: "Michael Ströder";<michael@stroeder.com mailto:michael@stroeder.com >;
发送时间: 2014年3月5日(星期三) 下午4:09
收件人: "Dieter Klünter"<dieter@dkluenter.de mailto:dieter@dkluenter.de >; "openldap-technical"<openldap-technical@openldap.org mailto:openldap-technical@openldap.org >;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
Am Wed, 5 Mar 2014 14:38:04 +0800 schrieb "Eileen(=^ω^=)" <123784635@qq.com mailto:123784635@qq.com
: This is Eileen from China SINAP. I am a beginner for openldap soft. I encountered a problem in my study on two LDAP services replication. I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want to make them synchronously in mirror mode. But when I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t be synchronous. My question is
if I set my rootpw in hash, my bindmethod must be SASL? IfI must use sasl method, can I put the sasl service in the same ldap service? If bindmethod=sasl then what is the saslmech should be? 2. If I change to sasl method, do I need change my database record?
In order to use sasl, passwords must be cleartext and you should configure an apropriate authz-regexp, see man slapd.conf(5) You may use any sasl mechanism that you sasl framework provides. [...]
To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.