Re: Best practise for syncrepl security & latency?

[Kari Mattsson <kari@trivore.com>]

Quanah Gibson-Mount wrote:
> --On Saturday, April 21, 2007 11:08 PM +0300 Kari Mattsson 
> <kari@trivore.com> wrote:
>
> > Hola!
> >
> > I have this situation at hand, and would like to solve it proper way.
> > It appears finding this kind of information on OpenLDAP is hard to come
> > by.
> >
> > Host1 holds master OpenLDAP DIT.
> > Host2 holds full syncrepl replicated read-only copy of the same DIT.
> >
> > Replication latency should be minimised. 30 seconds is ok, tough.
> >
> > Host1's slapd.conf contains lines like:
> > overlay syncprov
> > syncprov-checkpoint 1 1
> > syncprov-sessionlog 100
> >
> > Host2's slapd.conf contains line:
> > syncrepl rid=10
> >    provider=ldap://HOST1:389
> >    starttls=critical
> >    type refreshAndPersist
> >    interval=00:00:00:29
> >    binddn="cn=replicator,dc=BASENAME"
> >    credentials="secret_password"
> >    bindmethod=simple
> >    searchbase="dc=BASENAME"
> >
> > It seems to work ok, but I don't like the idea of having plain text
> > password on the Host2's slapd.conf.
> >
> > Any comments on the Host1's values would be valuable.
> > Same goes for Host2's values.
> >
> > Is SASL the only sensible way to go here, security-wise?
>
> You could use SASL/EXTERNAL (cert auth) certainly... I'll note that 
> "interval" is not a valid parameter for "refreshAndPersist", I suggest 
> looking at the "retry" parameter and going back over the documentation.

Yes, thanks. So it seems. I went to the manual page. I wuld like to 
note, that there is an somewhat misleading error on page 
<http://www.openldap.org/faq/data/cache/1117.html> in the example.  On 
the explanation below, the text is correct.

On the subject matter, I'll go for SASL.  Thanks!

> --Quanah