5:57 p.m.
Hi Dieter,
Thanks for your kindly replies.
In my case, I don't use any SASL. I want to use simple bind, but my mirror
mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror
mode can work). Could you pls advice what is wrong with my configration?
My slapd.conf file set as below.
moduleload syncprov.la
database bdb
suffix "dc=xxx,dc=xxx"
checkpoint 1024 15
rootdn "cn=manager,dc=xxx,dc=xxx"
rootpw {SSHA}aeiyuikahdkfjhdiuvy
directory /var/lib/ldap/xxx
access to *
by self write
by * read
# Indices to maintain for this database
index objectClass,entryCSN,entryUUID eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
serverID 1 (ldap2 service is 2)
syncrepl rid=001
provider=ldap://other side ip
bindmethod=simple
binddn="cn=manager,dc=xxx,dc=xxx"
credentials={SSHA} aeiyuikahdkfjhdiuvy
searchbase="dc=xxx,dc=xxx"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Thanks and regards
tiangexuan
-----邮件原件-----
发件人: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] 代表 Dieter Klünter
发送时间: 2014年4月8日 16:25
收件人: openldap-technical(a)openldap.org
主题: Re: 回复: mirror mode question
Hi,
If I remeber correctly, you mentioned sasl authentication. My comments on plaintext
passwords are only related to sasl authentication. A sasl authentication is based on a
SASL MECHANISM, as described in rfc-4422.
In order to compare the sasl authentication string with the stored password value, this
has to be cleartext.
If your ldap operation is based on a simple bind, the stored password can, and should be,
hashed.
-Dieter
Am Tue, 8 Apr 2014 14:16:31 +0800
schrieb 田格瑄 < <mailto:tiangexuan@sinap.ac.cn> tiangexuan(a)sinap.ac.cn>:
> 收件人: "Dieter Klünter"<
<mailto:dieter@dkluenter.de%20%3cmailto:dieter@dkluenter.de> dieter(a)dkluenter.de
<mailto:dieter@dkluenter.de
--
Dieter Klünter | Systemberatung
<http://sys4.de> http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Hi Michael and Dieter,
I see the below mail, can I understand only the mirror mode
replication can’t use the HASH password in rootpw, other Synchronous
replication mode(example: syncrepl proxy) can use the HASH password?
Thanks and regards
tiangexuan
------------------ 原始邮件 ------------------
发件人: "Michael Ströder";<michael(a)stroeder.com
< <mailto:michael@stroeder.com>
mailto:michael@stroeder.com> >;
发送时间: 2014年3月5日(星期三) 下午4:09
>;
"openldap-technical"<openldap-technical(a)openldap.org
< <mailto:openldap-technical@openldap.org>
mailto:openldap-technical@openldap.org> >;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
> Am Wed, 5 Mar 2014 14:38:04 +0800
> schrieb "Eileen(=^ω^=)" <
<mailto:123784635@qq.com%20%3cmailto:123784635@qq.com> 123784635(a)qq.com
<mailto:123784635@qq.com>
> >:
>> This is Eileen from China SINAP. I am a beginner for
openldap soft.
>> I encountered a problem in my study on two LDAP services
>> replication. I have 2 LDAP services, one name LDPA1, the
other is
>> LDAP2 . I want to make them synchronously in mirror mode.
But when
>> I set LDAP services rootpw both in hash, the 2 LDAP serivces
can’t
>> be synchronous. My question is
>> 1. if I set my rootpw in hash, my bindmethod must be
SASL? If
>> I must use sasl method, can I put the sasl service in the
same ldap
>> service? If bindmethod=sasl then what is the saslmech should
be?
>> 2. If I change to sasl method, do I need change my
database
>> record?
> > In order to use sasl, passwords must be cleartext and you should
> configure an apropriate authz-regexp, see man slapd.conf(5) You
may
> use any sasl mechanism that you sasl framework provides.
> [...]
To be more precise: In order to use password-based SASL mechs the
passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should
consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.