On Wed, 9 Apr 2014, 田格瑄 wrote:
Thank you very much~:) Can I understand I should change my config as below?
provider=ldap://other side ip bindmethod=simple binddn="cn=manager,dc=xxx,dc=xxx" credentials=sillypassword
yes above is the idea. You can hash the rootpw but your replication partners will of course need the cleartext password so they can authenticte.
Use slappasswd to generate the hash from your own secret password.
If yes, I have a question, other people can see my rootpw, this is not safe, isn’t it ?
Other people cannot decode the password from the hash. So you rootpw is safe on the provider node.
There is now way to secure the credentials on the consumer node as it will have to know the password in order to authenticate. Take a moment to think about how having a hashed password on the consumer would allow it to authenticate. And if it would how would that stop somebody from grabbing the hashed password and using it if that would work.
If you do not like to have cleartext credentials you could of course use SASL method=external with client certificates as has been suggested before. You could then have a configuration without any cleartext passwords. But of course you would need to have the client certifcate and corresponding private key on the consumer node. In that case this could be stolen.
Using a separate dn or client certificates for the replication user is good practice so you can limit the respective privileges to read only.
You could even use an acl to further limit client ip address from where the consumers can connect.