Hi All -
Our server team does not want to update our openldap version beyond 2.2 because redhat supports 2.2 as the latest and greatest for RHEL4.
So I am trying to configure slurpd replication for them. I got the replication to work. But when defining "replica", I got the following questions.
1) For credentials, can I use hashed password like for rootpw
2) If we could use hashed password, what should the bindmethod be?
replica uri=<URL>
binddn=<Bind DN>
bindmethod=simple --> ???
credentials=XXXXXXXXX
Thanks in advance.
-Sai
Sai wrote:
Our server team does not want to update our openldap version beyond 2.2 because redhat supports 2.2 as the latest and greatest for RHEL4. So I am trying to configure slurpd replication for them. I got the replication to work.
Don't take it personally but I consider such the decision of your server team to be really stupid.
1. OpenLDAP release series 2.2.x is ancient. It reached end of life years ago. There are no updates anymore by the OpenLDAP project, even no security updates. Don't expect support here if you run into any specific problems. Ask Red Hat support then. Especially you should not deploy 2.2.13 which AFAIK was shipped with RHEL4.
2. There are good reasons why slurpd was replaced by syncrepl implementation and deprecated in release 2.3.x and removed from release series 2.4.x. You shouldn't use it in a serious deployment today.
But when defining “replica”, I got the following questions.
For credentials, can I use hashed password like for rootpw
No, credentials have to provided in clear since slurpd is a LDAP client to the slave.
Ciao, Michael.
Michael Ströder wrote:
Sai wrote:
But when defining “replica”, I got the following questions.
For credentials, can I use hashed password like for rootpwNo, credentials have to provided in clear since slurpd is a LDAP client to the slave.
Ciao, Michael.
Evening,
a bit off topic, but is this also valid for 2.4.x series? I'm pretty much sure it is for simple bind - perhaps SALS would allow hashed passwords?
Thanks and have a nice weekend, Zdenek
Zdenek Styblik wrote:
Michael Ströder wrote:
Sai wrote:
But when defining “replica”, I got the following questions.
For credentials, can I use hashed password like for rootpwNo, credentials have to provided in clear since slurpd is a LDAP client to the slave.
a bit off topic, but is this also valid for 2.4.x series?
slurpd is not available in 2.4.x anymore.
perhaps SALS would allow hashed passwords?
No. E.g. SASL bind DIGEST-MD5 needs the clear-text password in the config(!) to be able to generate the hash over the challenge value and the clear-text password. A hash is transmitted over wire though.
Ciao, Michael.
Michael Ströder wrote:
Zdenek Styblik wrote:
Michael Ströder wrote:
Sai wrote:
But when defining “replica”, I got the following questions.
For credentials, can I use hashed password like for rootpwNo, credentials have to provided in clear since slurpd is a LDAP client to the slave.
a bit off topic, but is this also valid for 2.4.x series?
slurpd is not available in 2.4.x anymore.
I'm sorry, I just took this as common.
perhaps SALS would allow hashed passwords?
No. E.g. SASL bind DIGEST-MD5 needs the clear-text password in the config(!) to be able to generate the hash over the challenge value and the clear-text password. A hash is transmitted over wire though.
Yep. But I've meant hashed password in config (and so did Sai). I was just curious, if I haven't overlooked something :)
Thanks! Zdenek
Thanks Mike and Zdenek,
I fought with the server team all the way up in the hierarchy. Unfortunately, we are subcontractors providing them a solution. I wish I can make them understand the reality. I think redhat stopped at 2.2 for RHEL4 and they are providing 2.3 for RHEL5.
So the bottom line is that any ldap client should provide clear text passwords. Be it in config file or command line.
Thanks for the clarification guys. I really appreciate it.
-To love is to risk not being loved in return. To hope is to risk pain. To try is to risk failure, but risk must be taken because the greatest hazard in life is to risk nothing.
Thanks,
-Sai
-----Original Message----- From: openldap-technical-bounces+bangaru.adabala=gmail.com@OpenLDAP.org [mailto:openldap-technical-bounces+bangaru.adabala=gmail.com@OpenLDAP.org] On Behalf Of Zdenek Styblik Sent: Friday, July 10, 2009 3:01 PM To: Michael Ströder Cc: openldap-technical@openldap.org Subject: Re: bindmethod and credentials in slurpd replication.
Michael Ströder wrote:
Zdenek Styblik wrote:
Michael Ströder wrote:
Sai wrote:
But when defining replica, I got the following questions.
For credentials, can I use hashed password like for rootpwNo, credentials have to provided in clear since slurpd is a LDAP client to the slave.
a bit off topic, but is this also valid for 2.4.x series?
slurpd is not available in 2.4.x anymore.
I'm sorry, I just took this as common.
perhaps SALS would allow hashed passwords?
No. E.g. SASL bind DIGEST-MD5 needs the clear-text password in the config(!) to be able to generate the hash over the challenge value and the clear-text password. A hash is transmitted over wire though.
Yep. But I've meant hashed password in config (and so did Sai). I was just curious, if I haven't overlooked something :)
Thanks! Zdenek
openldap-technical@openldap.org
-
Michael Ströder -
Sai -
Zdenek Styblik