Hi Christian,

         Thank you very much~J

         Can I understand I should change my config as below? If yes, I have a question, other people can see my rootpw, this is not safe, isn’t it ?

moduleload syncprov.la

database        bdb

suffix          "dc=xxx,dc=xxx"

checkpoint    1024 15

rootdn          "cn=manager,dc=xxx,dc=xxx"

rootpw          {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR

directory       /var/lib/ldap/xxx

access to *

       by self write

       by * read

# Indices to maintain for this database

index objectClass,entryCSN,entryUUID                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

serverID 1 (ldap2 service is 2)

syncrepl  rid=001

          provider=ldap://other side ip

          bindmethod=simple

          binddn="cn=manager,dc=xxx,dc=xxx"

          credentials=sillypassword

          searchbase="dc=xxx,dc=xxx"

          schemachecking=on

          type=refreshAndPersist

          retry="60 +"

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

syncprov-sessionlog 100

Thanks and regards

tiangexuan

-----邮件原件-----
发件人: Christian Kratzer [mailto:ck-lists@cksoft.de]
发送时间: 2014年4月9日 13:49
收件人: 田格瑄
抄送: 'Dieter Klünter'; openldap-technical@openldap.org
主题: Re: 答复: 回复： mirror mode question

Hi,

On Wed, 9 Apr 2014, 田格瑄 wrote:

> Hi Dieter,

> 

> 

> 

>    Thanks for your kindly replies.

> 

>         In my case, I don't use any SASL. I want to use simple bind, but my mirror mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror mode can work). Could you pls advice what is wrong with my configration?

> 

> 

> 

> My slapd.conf file set as below.

> 

> 

> 

> moduleload syncprov.la

> 

> database        bdb

> 

> suffix          "dc=xxx,dc=xxx"

> 

> checkpoint    1024 15

> 

> rootdn          "cn=manager,dc=xxx,dc=xxx"

> 

> rootpw          {SSHA}aeiyuikahdkfjhdiuvy

1. That is not a hash.

2. use slappasswd to generate the hash as follows

     ck@ldap1:~ % slappasswd

     New password: sillypassword

     Re-enter new password: sillypassword

     {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR

     ck@ldap1:~ %

3. Use the result from slapasswd as your rootpw

      rootpw {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR

4. Use a different password as you have now posted it to the list in cleartext

>          credentials={SSHA} aeiyuikahdkfjhdiuvy

5. no.  You need to use the cleartext password for replication credentials

           credentials=sillypassword

6. you can only hash your rootpw. You will need to use a cleartext password to authenticate.

Greetings

Christian

--

Christian Kratzer                   CK Software GmbH

Email:   ck@cksoft.de               Wildberger Weg 24/2

Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden

Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart

Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer

Web:     http://www.cksoft.de/