I have a multimaster system running behind a back_ldap proxy and all is running fine except for the fact that the mirrormode user specified in syncrepl section can only specify its password as cleartext or use sasl authentication. I'm not so worried about the clear text password being seen because all connections are via tls. But, if anyone binds, including anonymous users, that password is visible to them which scares me because the mirrormode user has write access to the entire tree. My first course of action was to set acls as write to mirrormode user and none to everyone else but no matter what I do, replication between the two servers breaks because it seems as soon as an acl is defined, mirrormode user no longer has permissions. Am I fundamentally missing something here with the visible clear text password? Or am I just not doing the acls right? Below is an example of what I surely thought would work at a (very minimal level).

access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword by anonymous none

doesn't work. Even:

access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword by self write

gives me no love either. If you need the entire acl I can provide it but I'm guessing I missing something much more obvious.

Thanks, Tyler