How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?
You definitely won't be able to use a password hash as a credential for syncrepl. A hash is a one way function so you can't readily drive the password from it (except via exhaustive brute force).
To avoid storing a clear text password in your config, you'll need to use another mechanism such as GSSAPI. That's what I use in my installations. x509 certificates/keys might be another option.
All of the options are more complicated that using a plain text password, but they're also bit more secure.
Ben
On Fri, Mar 8, 2024, 9:43 AM mbalakri@opentext.com wrote:
How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?
Ben,
I would like to use GSSAPI for my replication. Would you be willing to share how you went about it?
Thanks, Brendan
On Fri, Mar 8, 2024, 1:05 PM Ben Poliakoff benp@reed.edu wrote:
You definitely won't be able to use a password hash as a credential for syncrepl. A hash is a one way function so you can't readily drive the password from it (except via exhaustive brute force).
To avoid storing a clear text password in your config, you'll need to use another mechanism such as GSSAPI. That's what I use in my installations. x509 certificates/keys might be another option.
All of the options are more complicated that using a plain text password, but they're also bit more secure.
Ben
On Fri, Mar 8, 2024, 9:43 AM mbalakri@opentext.com wrote:
How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?
Using X.509 (sasl external) is super easy (once you figure it out, like a lot of this stuff), and is nice because you are not relying on a KDC, and no passwords need displayed in your syncrepl configs.
________________________________ From: brendan kearney bpk678@gmail.com Sent: Friday, March 8, 2024 10:09 AM To: Ben Poliakoff benp@reed.edu Cc: mbalakri@opentext.com mbalakri@opentext.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: Configure replication without a plaintext password.
Ben,
I would like to use GSSAPI for my replication. Would you be willing to share how you went about it?
Thanks, Brendan
Christopher Paul, https://www.openldap.org/faq/data/cache/1504.html, are you talking about this configuration?
Hi mbalakri,
May I politely suggest that you try it yourself and see?
Chris Paul | https://www.rexconsulting.net
-----Original Message----- From: mbalakri@opentext.com mbalakri@opentext.com Sent: Friday, March 8, 2024 10:56 AM To: openldap-technical@openldap.org Subject: Re: Configure replication without a plaintext password.
Christopher Paul, https://www.openldap.org/faq/data/cache/1504.html, are you talking about this configuration?
Thank you, it is working by enabling bindmethod=sasl and saslmech=external in olcSyncrepl configuration.
--On Friday, March 8, 2024 5:42 PM +0000 mbalakri@opentext.com wrote:
How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOW hsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?
You will need to use a passwordless SASL mechanism, as others have noted. If you peruse the test suite, you will see that test068-sasl-tls-external configures SASL/EXTERNAL certificate authentication in an OpenLDAP server. I use SASL/EXTERNAL certificate authentication in my replication setup.
Regards, Quanah
openldap-technical@openldap.org
-
Ben Poliakoff -
brendan kearney -
Christopher Paul -
mbalakri@opentext.com -
Quanah Gibson-Mount