Hi,
I have version 2.4.22 running with mirrormode enabled and it is working well.
I have a question regarding the credentials field in the syncrepl part in slapd.conf.
Must this be cleartext or can it be encrypted and what is considered good practise regarding which binddn to use. (e.g. should I create a user with cleartext password specifically for replication?)
Up to now I have used the same binddn as my rootdn but I can only get this to work with a cleartext password and I don't want to have my rootpw as cleartext in slapd.conf.
Here is my current slapd.conf snippet
database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" moduleload syncprov
overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq
syncrepl rid=123 provider=ldap://server:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=uniscope,dc=jp" credentials=secret
mirrormode on
Any help would be appreciated. Thanks. _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Hi,
Although I use cn=config instead of slapd.conf, my setup is similar. I've created one user (e.g. cn=replicator) with global read access. Created a certificate (and private key) for that user and mapped it to the user via:
olcAuthzRegexp: {0}"cn=certificate data comes here" "cn=replicator"
then my replica line looks like this:
olcSyncrepl: {0}rid=001 provider=ldap://firstserver bindmethod=sasl saslmech=external authcid="cn=certificate data comes here" starttls=critical tls_cert=/path/to/the/cert tls_key=/path/to/the/privatekey tls_cacert=/path/to/the/cacert tls_reqcert=demand searchbase= "dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1
Hi,
I have version 2.4.22 running with mirrormode enabled and it is working well.
I have a question regarding the credentials field in the syncrepl part in slapd.conf.
Must this be cleartext or can it be encrypted and what is considered good practise regarding which binddn to use. (e.g. should I create a user with cleartext password specifically for replication?)
Up to now I have used the same binddn as my rootdn but I can only get this to work with a cleartext password and I don't want to have my rootpw as cleartext in slapd.conf.
Here is my current slapd.conf snippet
database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" moduleload syncprov
overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq
syncrepl rid=123 provider=ldap://server:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=uniscope,dc=jp" credentials=secret
mirrormode on
Any help would be appreciated. Thanks.
Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now. https://signup.live.com/signup.aspx?id=60969
--On Tuesday, July 13, 2010 6:18 AM +0200 Vernon Reilly vernonore@hotmail.com wrote:
Hi,
I have version 2.4.22 running with mirrormode enabled and it is working well.
I have a question regarding the credentials field in the syncrepl part in slapd.conf.
Must this be cleartext
I suggest you read the slapd.conf(5) man page, specifically the section about syncrepl and all of its parameters. Your question is answered very, very clearly in there.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Gémes Géza -
Quanah Gibson-Mount -
Vernon Reilly