--On Thursday, October 12, 2023 4:11 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
I am trying to create an OpenLDAP master/slave solution with syncrepl, but I have not been successful so far.
I followed the suggestions of this site, with another sync password:
https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave- replication.html
One thing I made different, on the master server, I created the replication user with a userPassword: in SSHA-Format instead of clear text.
I have clear text (older os), maybe that is it?
If a password is set using the LDAPv3 password modify extended operation, then the server will hash it. If the password is changed using an ldapmodify operation or an ldapadd operation, and it is in cleartext, the server will not hash it UNLESS ppolicy is also active on the server and it has been configured to intercept and hash passwords cleartext passwords. See the slapo-ppolicy man page on how to configure tihs.
For the rest of the questions, I advise reading the OpenLDAP admin guide and not following instructions on random websites which are often incorrect.
I'd also note that OpenLDAP offers many secure password hashing mechanisms as the default SSHA is not considered secure. I've been moving to ARGON2 generally. You would need to know if the provider of your OpenLDAP packages included argon2 support in their build.
--Quanah