[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slave slapd doesn't accept bind from slurpd
After I tried what you suggested and everything seemed to be ok, it dawned on me. In the credentials=... option in the replica section of the master's slapd.conf the password of the binddn must be entered in unencrypted form. I tried it and things worked fine.
But ... isn't this a security hole? Storing unecrypted passwords in a file has long being considered a no-no in a unix system (in any system for that matter).
What do the (open)ldap designers/developpers have in mind?
Many thanks,
George Betzos
betzos@europe.com
----- Original Message -----
From: D.M.Lewney@sussex.ac.uk (Dave Lewney)
Date: Wed, 05 May 2004 08:55:35 +0100
To: George Betzos <betzos@europe.com>
Subject: Re: Slave slapd doesn't accept bind from slurpd
> George Betzos wrote:
> >
> > Hello,
> >
> > I am trying to set up a slave slapd to function as a backup server to a system I am seting up and
> > slurpd on the server fails to connect to the backup slapd (it is rejected with the indication
> > "Invalid credentials").
> >
> > I am debugging this setup for some time now and I have a feeling that something with authentication and
> > encryption mechanisms is not properly set up, rather than a bug.
> >
> > Both hosts are P4 machines running redhat fedora (fully updated).
> >
> > I have setup openldap to use TLS (no SASL or anything else) and I have created the cerificates and keys.
> > For the time being I am just testing the system (no system authentication transferred to ldap, yet).
> >
> > I tried to check the source code if I can figure out what is going on and with a minor modification
> > I managed to get the system to work with cleartext passwords. I am sending some debugging messages in
> > case someone sees something familiar.
> >
> > I have checked the archives and couldn't find anything relevant.
> >
> > I would appreciate very much any suggestions. Many Thanks.
> >
> > George Betzos
> > betzos@europe.com
> >
> > ----------------------------------------------------------------------------------------------
> >
> > Log snippets follow, first without my modification and then with it and using cleartext passwords
> >
> > ...
>
> At a guess there's something wrong with the certificate(s). Some things to try:
>
> 1) Check that the binddn in the master slapd.conf corresponds with the
> updatedn in the replica slapd.conf.
>
> 2) Remove tls from the replica lines and check that replication works ok.
>
> 3) Try ldapsearch -ZZ -H ldap://your.replica/ -D 'cn=backup,dc=uol,dc=bz'
> -W etc, etc
>
> 4) Test the certificates:
> openssl s_client -connect name.of.replica:636 -CAfile /path/to/your/CA.pem
>
> Dave
> --
> Dave Lewney
> Principal Systems Programmer, IT Services
> University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956
>
>
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm