[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication credentials



I've had mixed results including encrypted replication passwords. In fact, I've read messages that say you CANNOT encrypt the replication credentials. YMMV. If you're worried about "anyone who can read the slapd.conf file", set its permissions as 0750 root:ldap and trust the filesystem. Nobody's in the ldap group but the ldap user, probably created by your package installer.

The details of a secure (TLS) replication environment are plastered all over the list archives. I posted my entire config a couple months ago personally. It's an extremely active subject. I'd recommend some time in the archives to anybody who needs hands-on documentation of a number of successful "secure environment" deployments.

-j


Gary LaVoy wrote:
Is it possible to put an encrypted password in the slapd.conf for the
replication account? It's doesn't seem to like this statement:


replica host=replicahost.apple.com:389 binddn="cn=replicator,o=Apple Computer" bindmethod=simple credentials={SSHA}qn1ASsCqSO4wUbZPRmgUc0e3eZgbACdE

and putting a clear text password in means that I expose an account that
basically has manager access to anyone who can read the slapd.conf file. So in
that case I might as well use the manager account for replication itself.

so what is the recommended way to set up a reasonably secure replication
environment?

thanks,

Gary glavoy@apple.com