Dieter KlÃnter wrote: > Am Wed, 5 Mar 2014 14:38:04 +0800 > schrieb "Eileen(=^Ï^=)" <123784635@qq.com>: >> This is Eileen from China SINAP. I am a beginner for openldap soft. I >> encountered a problem in my study on two LDAP services replication. >> I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want >> to make them synchronously in mirror mode. But when I set LDAP >> services rootpw both in hash, the 2 LDAP serivces canât be >> synchronous. My question is >> 1. if I set my rootpw in hash, my bindmethod must be SASL? If I >> must use sasl method, can I put the sasl service in the same ldap >> service? If bindmethod=sasl then what is the saslmech should be? >> 2. If I change to sasl method, do I need change my database >> record? > > In order to use sasl, passwords must be cleartext and you should > configure an apropriate authz-regexp, see man slapd.conf(5) > You may use any sasl mechanism that you sasl framework provides. > [...] To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text. Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature