Hi Dieter,

 

    Thanks for your kindly replies.

         In my case, I don't use any SASL. I want to use simple bind, but my mirror mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror mode can work). Could you pls advice what is wrong with my configration?

 

My slapd.conf file set as below.

 

moduleload syncprov.la

database        bdb

suffix          "dc=xxx,dc=xxx"

checkpoint    1024 15

rootdn          "cn=manager,dc=xxx,dc=xxx"

rootpw          {SSHA}aeiyuikahdkfjhdiuvy

directory       /var/lib/ldap/xxx

access to *

       by self write

       by * read

# Indices to maintain for this database

index objectClass,entryCSN,entryUUID                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

 

serverID 1 (ldap2 service is 2)

syncrepl  rid=001

          provider=ldap://other side ip

          bindmethod=simple

          binddn="cn=manager,dc=xxx,dc=xxx"

          credentials={SSHA} aeiyuikahdkfjhdiuvy

          searchbase="dc=xxx,dc=xxx"

          schemachecking=on

          type=refreshAndPersist

          retry="60 +"

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

syncprov-sessionlog 100

 

 

Thanks and regards

 

tiangexuan

 

 

-----邮件原件-----
发件人: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] 代表 Dieter Klünter
发送时间: 201448 16:25
收件人: openldap-technical@openldap.org
主题: Re: 回复: mirror mode question

 

Hi,

If I remeber correctly, you mentioned sasl authentication. My comments on plaintext passwords are only related to sasl authentication. A sasl authentication is based on a SASL MECHANISM, as described in rfc-4422.

In order to compare the sasl authentication string with the stored password value, this has to be cleartext.

If your ldap operation is based on a simple bind, the stored password can, and should be, hashed.

 

-Dieter

 

 

Am Tue, 8 Apr 2014 14:16:31 +0800

schrieb 田格瑄 <tiangexuan@sinap.ac.cn>:

 

> Hi Michael and Dieter,

>

>

>    I see the below mail, can I understand only the mirror mode

> replication cant use the HASH password in rootpw, other Synchronous

> replication mode(example: syncrepl proxy) can use the HASH password?

>

>

> Thanks and regards

>

> tiangexuan

>

>

> ------------------ 原始邮件 ------------------

>

> 发件人: "Michael Ströder";<michael@stroeder.com

> <mailto:michael@stroeder.com> >;

>

> 发送时间: 201435(星期三) 下午4:09

>

> 收件人: "Dieter Klünter"<dieter@dkluenter.de <mailto:dieter@dkluenter.de>

> >; "openldap-technical"<openldap-technical@openldap.org

> <mailto:openldap-technical@openldap.org> >;

>

> 主题: Re: mirror mode & sasl question

>

>

> Dieter Klünter wrote:

> > Am Wed, 5 Mar 2014 14:38:04 +0800

> > schrieb "Eileen(=^ω^=)" <123784635@qq.com <mailto:123784635@qq.com>

> > >:

> >> This is Eileen from China SINAP. I am a beginner for openldap soft.

> >> I encountered a problem in my study on two LDAP services

> >> replication. I have 2 LDAP services, one name LDPA1, the other is

> >> LDAP2 . I want to make them synchronously in mirror mode. But when

> >> I set LDAP services rootpw both in hash, the 2 LDAP serivces cant

> >> be synchronous. My question is

> >> 1.      if I set my rootpw in hash, my bindmethod must be SASL? If

> >> I must use sasl method, can I put the sasl service in the same ldap

> >> service? If bindmethod=sasl then what is the saslmech should be?

> >> 2.      If I change to sasl method, do I need change my database

> >> record?

> >

> > In order to use sasl, passwords must be cleartext and you should

> > configure an apropriate authz-regexp, see man slapd.conf(5) You may

> > use any sasl mechanism that you sasl framework provides.

> > [...]

>

> To be more precise: In order to use password-based SASL mechs the

> passwords have to be stored in clear-text.

>

> Well, if working with SASL and TLS (LDAPS, StartTLS) one should

> consider using client certs and SASL/EXTERNAL for replication.

>

> Ciao, Michael.

>

>

>

 

 

 

--

Dieter Klünter | Systemberatung

http://sys4.de

GPG Key ID: E9ED159B

53°37'09,95"N

10°08'02,42"E