[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slave slapd doesn't accept bind from slurpd

To: openldap-software@OpenLDAP.org
Subject: Re: Slave slapd doesn't accept bind from slurpd
From: "George Betzos" <betzos@europe.com>
Date: Thu, 06 May 2004 03:07:51 -0500
Cc: D.M.Lewney@sussex.ac.uk
Content-disposition: inline

After I tried what you suggested and everything seemed to be ok, it dawned on me. In the credentials=... option in the replica section of the master's slapd.conf the password of the binddn must be entered in unencrypted form. I tried it and things worked fine.

But ... isn't this a security hole? Storing unecrypted passwords in a file has long being considered a no-no in a unix system (in any system for that matter).

What do the (open)ldap designers/developpers have in mind?

Many thanks,

George Betzos
betzos@europe.com

 
----- Original Message -----
From: D.M.Lewney@sussex.ac.uk (Dave Lewney)
Date: Wed, 05 May 2004 08:55:35 +0100
To: George Betzos <betzos@europe.com>
Subject: Re: Slave slapd doesn't accept bind from slurpd

> George Betzos wrote:
> >  
> > Hello, 
> >  
> > I am trying to set up a slave slapd to function as a backup server to a system I am seting up and 
> > slurpd on the server fails to connect to the backup slapd (it is rejected with the indication 
> > "Invalid credentials"). 
> >  
> > I am debugging this setup for some time now and I have a feeling that something with authentication and 
> > encryption mechanisms is not properly set up, rather than a bug. 
> >  
> > Both hosts are P4 machines running redhat fedora (fully updated). 
> >  
> > I have setup openldap to use TLS (no SASL or anything else) and I have created the cerificates and keys. 
> > For the time being I am just testing the system (no system authentication transferred to ldap, yet). 
> >  
> > I tried to check the source code if I can figure out what is going on and with a minor modification 
> > I managed to get the system to work with cleartext passwords. I am sending some debugging messages in 
> > case someone sees something familiar. 
> >  
> > I have checked the archives and couldn't find anything relevant. 
> >  
> > I would appreciate very much any suggestions. Many Thanks. 
> >  
> > George Betzos 
> > betzos@europe.com 
> >  
> > ----------------------------------------------------------------------------------------------  
> >  
> > Log snippets follow, first without my modification and then with it and using cleartext passwords 
> >  
> > ... 
> 
> At a guess there's something wrong with the certificate(s). Some things to try:
> 
> 1) Check that the binddn in the master slapd.conf corresponds with the 
> updatedn in the replica slapd.conf.
> 
> 2) Remove tls from the replica lines and check that replication works ok.
> 
> 3) Try ldapsearch -ZZ -H ldap://your.replica/ -D 'cn=backup,dc=uol,dc=bz' 
> -W etc, etc
> 
> 4) Test the certificates:
> openssl s_client -connect name.of.replica:636 -CAfile /path/to/your/CA.pem
> 
> Dave
> --
> Dave Lewney
> Principal Systems Programmer, IT Services
> University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956
> 
> 

-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

Follow-Ups:
- Re: Slave slapd doesn't accept bind from slurpd
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: [SSl/TLS + LDAP] Wrong version number, no shared cipher
Next by Date: Re: Slave slapd doesn't accept bind from slurpd
Index(es):
- Chronological
- Thread