[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Encrypting replication password



Hi replicating folk,

Some thoughts about protecting replicator passwords.

> > is it possible to encrypt the password (credentials) of the replica in 
> > master's slapd.conf. [...]
> 
> No - the master machine has to know the password so that it can use it
> to authenticate to the slave machine. The password has to be stored in
> clear, or it has to be encrypted using a key that is stored in clear
> (which just adds complexity without adding security).

I agree that a 3DES encrypted password or so doesn't help much.  But!
One other approach would be to have the password entered upon startup.

It is unfortunate that OpenLDAP doesn't support this method of startup,
because it would disable schemes of getting to the password that're based
on accessing slapd.conf through whatever OS weakness.

It's how apache does the password thing on certificates.  But with apache,
the whole service cannot bootstrap without admin interference.  LDAP would
be in a more fortunate position, where only replication lags behind if the
administrator hasn't entered the "replicator" password.


Just my tuppence.


Cheers,
Rick van Rein.