Re: 回复： mirror mode question

Hi Michael and Dieter, Thanks for your kindly replies. In my case, I didn't use any SASL or TLS but "simple" method with operation mode of user/password authenticated. However, I need the rootpw hashed (not cleartext) and the 2 servers (master & slave) synchronized. Could you pls advise how i should modify the syncrepl part? or could you pls provide a sample of the slapd.conf file configuration? Best regards, Eileen ------------------ 原始邮件 ------------------ 发件人: "Michael Ströder&quot;;&lt;michael(a)stroeder.com&gt;; 发送时间: 2014年3月5日(星期三) 下午4:09 收件人: "Dieter Klünter&quot;&lt;dieter(a)dkluenter.de&gt;; &quot;openldap-technical&quot;&lt;openldap-technical(a)openldap.org&gt;; 主题: Re: mirror mode & sasl question Dieter Klünter wrote: > Am Wed, 5 Mar 2014 14:38:04 +0800 > schrieb "Eileen(=^ω^=)" <123784635(a)qq.com&gt;: >> This is Eileen from China SINAP. I am a beginner for openldap >> soft. I encountered a problem in my study on two LDAP services >> replication. I have 2 LDAP services, one name LDPA1, the other is >> LDAP2 . I want to make them synchronously in mirror mode. But when >> I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t >> be synchronous. My question is >> 1. if I set my rootpw in hash, my bindmethod must be SASL? If >> I must use sasl method, can I put the sasl service in the same ldap >> service? If bindmethod=sasl then what is the saslmech should be? >> 2. If I change to sasl method, do I need change my database >> record? > > In order to use sasl, passwords must be cleartext and you should > configure an apropriate authz-regexp, see man slapd.conf(5) > You may use any sasl mechanism that you sasl framework provides. > [...] To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text. Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication. Ciao, Michael.