I want to implement syncrepl without having cleartext password in the slapd.conf. How this can be achieved?
~~~ *Prakash*
Prakash Padadune wrote:
I want to implement syncrepl without having cleartext password in the slapd.conf. How this can be achieved?
Use TLS with client certs and SASL/EXTERNAL. Of course this needs key files in clear-text on the disk if you want to start slapd unattended.
Ciao, Michael.
Hi,
On Tue, 27 Oct 2015, Prakash Padadune wrote:
I want to implement syncrepl without having cleartext password in the slapd.conf. How this can be achieved?
authenticate using client certificates and sasl_method = external
You will need the private key files on the clients though.
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +"
olcSyncrepl: {1}rid=002 provider=ldap://ldap2.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +"
then map your certificate identity to an entry in your tree that has appropriate permissions:
olcAuthzRegexp: {0}"cn=([^,]*)," "cn=$1,ou=servers,dc=foo,dc=bar"
Greetings Christian
openldap-technical@openldap.org