Hi Michael and Dieter,
Thanks for your kindly replies. In my case, I didn't use any SASL or TLS but "simple" method with operation mode of user/password authenticated. However, I need the rootpw hashed (not cleartext) and the 2 servers (master & slave) synchronized. Could you pls advise how i should modify the syncrepl part? or could you pls provide a sample of the slapd.conf file configuration?
Best regards,
Eileen
------------------ 原始邮件 ------------------ 发件人: "Michael Ströder";michael@stroeder.com; 发送时间: 2014年3月5日(星期三) 下午4:09 收件人: "Dieter Klünter"dieter@dkluenter.de; "openldap-technical"openldap-technical@openldap.org;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
Am Wed, 5 Mar 2014 14:38:04 +0800 schrieb "Eileen(=^ω^=)" 123784635@qq.com:
This is Eileen from China SINAP. I am a beginner for openldap soft. I encountered a problem in my study on two LDAP services replication. I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want to make them synchronously in mirror mode. But when I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t be synchronous. My question is
if I set my rootpw in hash, my bindmethod must be SASL? If Imust use sasl method, can I put the sasl service in the same ldap service? If bindmethod=sasl then what is the saslmech should be? 2. If I change to sasl method, do I need change my database record?
In order to use sasl, passwords must be cleartext and you should configure an apropriate authz-regexp, see man slapd.conf(5) You may use any sasl mechanism that you sasl framework provides. [...]
To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.
Hi,
http://pastebin.de/41448 -Dieter
Am Wed, 5 Mar 2014 22:04:05 +0800 schrieb "Eileen(=^ω^=)" 123784635@qq.com:
Hi Michael and Dieter,
Thanks for your kindly replies. In my case, I didn't use any SASL or TLS but "simple" method withoperation mode of user/password authenticated. However, I need the rootpw hashed (not cleartext) and the 2 servers (master & slave) synchronized. Could you pls advise how i should modify the syncrepl part? or could you pls provide a sample of the slapd.conf file configuration?
Best regards,
Eileen
------------------ 原始邮件 ------------------ 发件人: "Michael Ströder";michael@stroeder.com; 发送时间: 2014年3月5日(星期三) 下午4:09 收件人: "Dieter Klünter"dieter@dkluenter.de; "openldap-technical"openldap-technical@openldap.org;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
Am Wed, 5 Mar 2014 14:38:04 +0800 schrieb "Eileen(=^ω^=)" 123784635@qq.com:
This is Eileen from China SINAP. I am a beginner for openldap soft. I encountered a problem in my study on two LDAP services replication. I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want to make them synchronously in mirror mode. But when I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t be synchronous. My question is
if I set my rootpw in hash, my bindmethod must be SASL? IfI must use sasl method, can I put the sasl service in the same ldap service? If bindmethod=sasl then what is the saslmech should be? 2. If I change to sasl method, do I need change my database record?
In order to use sasl, passwords must be cleartext and you should configure an apropriate authz-regexp, see man slapd.conf(5) You may use any sasl mechanism that you sasl framework provides. [...]
To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.
Hi Michael and Dieter,
I see the below mail, can I understand only the mirror mode replication can’t use the HASH password in rootpw, other Synchronous replication mode(example: syncrepl proxy) can use the HASH password?
Thanks and regards
tiangexuan
------------------ 原始邮件 ------------------
发件人: "Michael Ströder";<michael@stroeder.com mailto:michael@stroeder.com >;
发送时间: 2014年3月5日(星期三) 下午4:09
收件人: "Dieter Klünter"<dieter@dkluenter.de mailto:dieter@dkluenter.de >; "openldap-technical"<openldap-technical@openldap.org mailto:openldap-technical@openldap.org >;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
Am Wed, 5 Mar 2014 14:38:04 +0800 schrieb "Eileen(=^ω^=)" <123784635@qq.com mailto:123784635@qq.com >:
This is Eileen from China SINAP. I am a beginner for openldap soft. I encountered a problem in my study on two LDAP services replication. I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want to make them synchronously in mirror mode. But when I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t be synchronous. My question is
if I set my rootpw in hash, my bindmethod must be SASL? If Imust use sasl method, can I put the sasl service in the same ldap service? If bindmethod=sasl then what is the saslmech should be? 2. If I change to sasl method, do I need change my database record?
In order to use sasl, passwords must be cleartext and you should configure an apropriate authz-regexp, see man slapd.conf(5) You may use any sasl mechanism that you sasl framework provides. [...]
To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.
Hi, If I remeber correctly, you mentioned sasl authentication. My comments on plaintext passwords are only related to sasl authentication. A sasl authentication is based on a SASL MECHANISM, as described in rfc-4422. In order to compare the sasl authentication string with the stored password value, this has to be cleartext. If your ldap operation is based on a simple bind, the stored password can, and should be, hashed.
-Dieter
Am Tue, 8 Apr 2014 14:16:31 +0800 schrieb 田格瑄 tiangexuan@sinap.ac.cn:
Hi Michael and Dieter,
I see the below mail, can I understand only the mirror mode replication can’t use the HASH password in rootpw, other Synchronous replication mode(example: syncrepl proxy) can use the HASH password?
Thanks and regards
tiangexuan
------------------ 原始邮件 ------------------
发件人: "Michael Ströder";<michael@stroeder.com mailto:michael@stroeder.com >;
发送时间: 2014年3月5日(星期三) 下午4:09
收件人: "Dieter Klünter"<dieter@dkluenter.de mailto:dieter@dkluenter.de >; "openldap-technical"<openldap-technical@openldap.org mailto:openldap-technical@openldap.org >;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
Am Wed, 5 Mar 2014 14:38:04 +0800 schrieb "Eileen(=^ω^=)" <123784635@qq.com mailto:123784635@qq.com
: This is Eileen from China SINAP. I am a beginner for openldap soft. I encountered a problem in my study on two LDAP services replication. I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want to make them synchronously in mirror mode. But when I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t be synchronous. My question is
if I set my rootpw in hash, my bindmethod must be SASL? IfI must use sasl method, can I put the sasl service in the same ldap service? If bindmethod=sasl then what is the saslmech should be? 2. If I change to sasl method, do I need change my database record?
In order to use sasl, passwords must be cleartext and you should configure an apropriate authz-regexp, see man slapd.conf(5) You may use any sasl mechanism that you sasl framework provides. [...]
To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.
Hi Dieter,
Thanks for your kindly replies.
In my case, I don't use any SASL. I want to use simple bind, but my mirror mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror mode can work). Could you pls advice what is wrong with my configration?
My slapd.conf file set as below.
moduleload syncprov.la
database bdb
suffix "dc=xxx,dc=xxx"
checkpoint 1024 15
rootdn "cn=manager,dc=xxx,dc=xxx"
rootpw {SSHA}aeiyuikahdkfjhdiuvy
directory /var/lib/ldap/xxx
access to *
by self write
by * read
# Indices to maintain for this database
index objectClass,entryCSN,entryUUID eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
serverID 1 (ldap2 service is 2)
syncrepl rid=001
provider=ldap://other side ip
bindmethod=simple
binddn="cn=manager,dc=xxx,dc=xxx"
credentials={SSHA} aeiyuikahdkfjhdiuvy
searchbase="dc=xxx,dc=xxx"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Thanks and regards
tiangexuan
-----邮件原件----- 发件人: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] 代表 Dieter Klünter 发送时间: 2014年4月8日 16:25 收件人: openldap-technical@openldap.org 主题: Re: 回复: mirror mode question
Hi,
If I remeber correctly, you mentioned sasl authentication. My comments on plaintext passwords are only related to sasl authentication. A sasl authentication is based on a SASL MECHANISM, as described in rfc-4422.
In order to compare the sasl authentication string with the stored password value, this has to be cleartext.
If your ldap operation is based on a simple bind, the stored password can, and should be, hashed.
-Dieter
Am Tue, 8 Apr 2014 14:16:31 +0800
schrieb 田格瑄 < mailto:tiangexuan@sinap.ac.cn tiangexuan@sinap.ac.cn>:
Hi Michael and Dieter,
I see the below mail, can I understand only the mirror mode
replication can’t use the HASH password in rootpw, other Synchronous
replication mode(example: syncrepl proxy) can use the HASH password?
Thanks and regards
tiangexuan
------------------ 原始邮件 ------------------
发件人: "Michael Ströder";<michael@stroeder.com
< mailto:michael@stroeder.com mailto:michael@stroeder.com> >;
发送时间: 2014年3月5日(星期三) 下午4:09
收件人: "Dieter Klünter"< mailto:dieter@dkluenter.de%20%3cmailto:dieter@dkluenter.de dieter@dkluenter.de mailto:dieter@dkluenter.de
; "openldap-technical"<openldap-technical@openldap.org
< mailto:openldap-technical@openldap.org mailto:openldap-technical@openldap.org> >;
主题: Re: mirror mode & sasl question
Dieter Klünter wrote:
Am Wed, 5 Mar 2014 14:38:04 +0800
schrieb "Eileen(=^ω^=)" < mailto:123784635@qq.com%20%3cmailto:123784635@qq.com 123784635@qq.com mailto:123784635@qq.com
:
This is Eileen from China SINAP. I am a beginner for openldap soft.
I encountered a problem in my study on two LDAP services
replication. I have 2 LDAP services, one name LDPA1, the other is
LDAP2 . I want to make them synchronously in mirror mode. But when
I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t
be synchronous. My question is
if I set my rootpw in hash, my bindmethod must be SASL? If
I must use sasl method, can I put the sasl service in the same ldap
service? If bindmethod=sasl then what is the saslmech should be?
If I change to sasl method, do I need change my database
record?
In order to use sasl, passwords must be cleartext and you should
configure an apropriate authz-regexp, see man slapd.conf(5) You may
use any sasl mechanism that you sasl framework provides.
[...]
To be more precise: In order to use password-based SASL mechs the
passwords have to be stored in clear-text.
Well, if working with SASL and TLS (LDAPS, StartTLS) one should
consider using client certs and SASL/EXTERNAL for replication.
Ciao, Michael.
--
Dieter Klünter | Systemberatung
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Hi,
On Wed, 9 Apr 2014, 田格瑄 wrote:
Hi Dieter,
Thanks for your kindly replies.
In my case, I don't use any SASL. I want to use simple bind, but my mirror mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror mode can work). Could you pls advice what is wrong with my configration?My slapd.conf file set as below.
moduleload syncprov.la
database bdb
suffix "dc=xxx,dc=xxx"
checkpoint 1024 15
rootdn "cn=manager,dc=xxx,dc=xxx"
rootpw {SSHA}aeiyuikahdkfjhdiuvy
1. That is not a hash.
2. use slappasswd to generate the hash as follows
ck@ldap1:~ % slappasswd New password: sillypassword Re-enter new password: sillypassword {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR ck@ldap1:~ %
3. Use the result from slapasswd as your rootpw
rootpw {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR
4. Use a different password as you have now posted it to the list in cleartext
credentials={SSHA} aeiyuikahdkfjhdiuvy
5. no. You need to use the cleartext password for replication credentials
credentials=sillypassword
6. you can only hash your rootpw. You will need to use a cleartext password to authenticate.
Greetings Christian
Hi Christian,
Thank you very much~:)
Can I understand I should change my config as below? If yes, I have a question, other people can see my rootpw, this is not safe, isn’t it ?
moduleload syncprov.la
database bdb
suffix "dc=xxx,dc=xxx"
checkpoint 1024 15
rootdn "cn=manager,dc=xxx,dc=xxx"
rootpw {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR
directory /var/lib/ldap/xxx
access to *
by self write
by * read
# Indices to maintain for this database
index objectClass,entryCSN,entryUUID eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
serverID 1 (ldap2 service is 2)
syncrepl rid=001
provider=ldap://other side ip
bindmethod=simple
binddn="cn=manager,dc=xxx,dc=xxx"
credentials=sillypassword
searchbase="dc=xxx,dc=xxx"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Thanks and regards
tiangexuan
-----邮件原件----- 发件人: Christian Kratzer [mailto:ck-lists@cksoft.de] 发送时间: 2014年4月9日 13:49 收件人: 田格瑄 抄送: 'Dieter Klünter'; openldap-technical@openldap.org 主题: Re: 答复: 回复: mirror mode question
Hi,
On Wed, 9 Apr 2014, 田格瑄 wrote:
Hi Dieter,
Thanks for your kindly replies.
In my case, I don't use any SASL. I want to use simple bind, but my mirror mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror mode can work). Could you pls advice what is wrong with my configration?
My slapd.conf file set as below.
moduleload syncprov.la
database bdb
suffix "dc=xxx,dc=xxx"
checkpoint 1024 15
rootdn "cn=manager,dc=xxx,dc=xxx"
rootpw {SSHA}aeiyuikahdkfjhdiuvy
1. That is not a hash.
2. use slappasswd to generate the hash as follows
ck@ldap1:~ % slappasswd
New password: sillypassword
Re-enter new password: sillypassword
{SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR
ck@ldap1:~ %
3. Use the result from slapasswd as your rootpw
rootpw {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR
4. Use a different password as you have now posted it to the list in cleartext
credentials={SSHA} aeiyuikahdkfjhdiuvy
5. no. You need to use the cleartext password for replication credentials
credentials=sillypassword
6. you can only hash your rootpw. You will need to use a cleartext password to authenticate.
Greetings
Christian
Hi,
On Wed, 9 Apr 2014, 田格瑄 wrote:
Hi Christian,
Thank you very much~:) Can I understand I should change my config as below?
<snipp/>
rootpw {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR
<snipp/>
syncrepl rid=001
provider=ldap://other side ip bindmethod=simple binddn="cn=manager,dc=xxx,dc=xxx" credentials=sillypassword
yes above is the idea. You can hash the rootpw but your replication partners will of course need the cleartext password so they can authenticte.
Use slappasswd to generate the hash from your own secret password.
If yes, I have a question, other people can see my rootpw, this is not safe, isn’t it ?
Other people cannot decode the password from the hash. So you rootpw is safe on the provider node.
There is now way to secure the credentials on the consumer node as it will have to know the password in order to authenticate. Take a moment to think about how having a hashed password on the consumer would allow it to authenticate. And if it would how would that stop somebody from grabbing the hashed password and using it if that would work.
If you do not like to have cleartext credentials you could of course use SASL method=external with client certificates as has been suggested before. You could then have a configuration without any cleartext passwords. But of course you would need to have the client certifcate and corresponding private key on the consumer node. In that case this could be stolen.
Using a separate dn or client certificates for the replication user is good practice so you can limit the respective privileges to read only.
You could even use an acl to further limit client ip address from where the consumers can connect.
Greetings Christian
openldap-technical@openldap.org
-
Christian Kratzer -
Dieter Klünter -
Eileen(=^ω^=) -
田格瑄