Hi,
Although I use cn=config instead of slapd.conf, my setup is similar.
I've created one user (e.g. cn=replicator) with global read access.
Created a certificate (and private key) for that user and mapped it to
the user via:
olcAuthzRegexp: {0}"cn=certificate data comes here" "cn=replicator"
then my replica line looks like this:
olcSyncrepl: {0}rid=001 provider=ldap://firstserver bindmethod=sasl
saslmech=external
authcid="cn=certificate data comes here" starttls=critical
tls_cert=/path/to/the/cert
tls_key=/path/to/the/privatekey tls_cacert=/path/to/the/cacert
tls_reqcert=demand searchbase=
"dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1
Hi,
I have version 2.4.22 running with mirrormode enabled and it is working
well.
I have a question regarding the credentials field in the syncrepl part
in slapd.conf.
Must this be cleartext or can it be encrypted and what is considered
good practise
regarding which binddn to use. (e.g. should I create a user with
cleartext password
specifically for replication?)
Up to now I have used the same binddn as my rootdn but I can only get
this to work
with a cleartext password and I don't want to have my rootpw as
cleartext in slapd.conf.
Here is my current slapd.conf snippet
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
moduleload syncprov
overlay syncprov
syncprov-checkpoint 1 1
syncprov-sessionlog 100
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
syncrepl rid=123
provider=ldap://server:389
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=Manager,dc=uniscope,dc=jp"
credentials=secret
mirrormode on
Any help would be appreciated. Thanks.
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
Sign
up now.
|