On Wed, 9 Apr 2014, 田格瑄 wrote:
Thank you very much~:)
Can I understand I should change my config as below?
provider=ldap://other side ip
yes above is the idea. You can hash the rootpw but your replication partners will of
course need the cleartext password so they can authenticte.
Use slappasswd to generate the hash from your own secret password.
If yes, I have a question, other people can see my rootpw, this is
not safe, isn’t it ?
Other people cannot decode the password from the hash. So you rootpw is safe on the
There is now way to secure the credentials on the consumer node as it will have to know
the password in order to authenticate. Take a moment to think about how having a hashed
password on the consumer would allow it to authenticate. And if it would how would that
stop somebody from grabbing the hashed password and using it if that would work.
If you do not like to have cleartext credentials you could of course use SASL
method=external with client certificates as has been suggested before. You could then
have a configuration without any cleartext passwords. But of course you would need to have
the client certifcate and corresponding private key on the consumer node. In that case
this could be stolen.
Using a separate dn or client certificates for the replication user is good practice so
you can limit the respective privileges to read only.
You could even use an acl to further limit client ip address from where the consumers can
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer