[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Best practise for syncrepl security & latency?



On Sat, 21 Apr 2007, Quanah Gibson-Mount wrote:
...
It seems to work ok, but I don't like the idea of having plain text
password on the Host2's slapd.conf.

Is SASL the only sensible way to go here, security-wise?

You could use SASL/EXTERNAL (cert auth) certainly... I'll note that "interval" is not a valid parameter for "refreshAndPersist", I suggest looking at the "retry" parameter and going back over the documentation.

Of course, the credentials are still on the machine, just in a separate, multikilobyte file. While that's less likely to be accidentally observed (unlike a password that can be read over the shoulder of a sysadmin), it may be more difficult (or just more work) to revoke if it is stolen than a simple password. If you go this route, I would suggest that you test and document locally the procedure for adding host2's cert to the CRL on host1.



Philip Guenther Sendmail, Inc.