Hi Dieter, ÂÂÂ Thanks for your kindly replies. ÂÂÂÂÂÂÂÂ In my case, I don't use any SASL. I want to use simple bind, but my mirror mode can't work when my rootpw in hash( if the rootpw is in cleartext , the mirror mode can work). Could you pls advice what is wrong with my configration? My slapd.conf file set as below. moduleload syncprov.la database bdb suffix "dc=xxx,dc=xxx" checkpoint 1024 15 rootdn "cn=manager,dc=xxx,dc=xxx" rootpw {SSHA}aeiyuikahdkfjhdiuvy directory /var/lib/ldap/xxx access to * by self write by * read # Indices to maintain for this database index objectClass,entryCSN,entryUUID eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub serverID 1 (ldap2 service is 2) syncrepl rid=001 provider=ldap://other side ip bindmethod=simple binddn="cn=manager,dc=xxx,dc=xxx" credentials={SSHA} aeiyuikahdkfjhdiuvy searchbase="dc=xxx,dc=xxx" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Thanks and regards tiangexuan -----éäåä----- Hi, If I remeber correctly, you mentioned sasl authentication. My comments on plaintext passwords are only related to sasl authentication. A sasl authentication is based on a SASL MECHANISM, as described in rfc-4422. In order to compare the sasl authentication string with the stored password value, this has to be cleartext. If your ldap operation is based on a simple bind, the stored password can, and should be, hashed. -Dieter Am Tue, 8 Apr 2014 14:16:31 +0800 schrieb çæç <tiangexuan@sinap.ac.cn>: > Hi Michael and Dieter, > >Â > >ÂÂÂ I see the below mail, can I understand only the mirror mode > replication canât use the HASH password in rootpw, other Synchronous > replication mode(example: syncrepl proxy) can use the HASH password? > >Â > > Thanks and regards > > tiangexuan > >Â > > ------------------ ååéä ------------------ > > åää: "Michael StrÃder";<michael@stroeder.com > <mailto:michael@stroeder.com> >; > > åéæé: 2014å3æ5æ(ææä) äå4:09 > > æää: "Dieter KlÃnter"<dieter@dkluenter.de <mailto:dieter@dkluenter.de> > >; "openldap-technical"<openldap-technical@openldap.org > <mailto:openldap-technical@openldap.org> >; > > äé: Re: mirror mode & sasl question > >Â > > Dieter KlÃnter wrote: > > Am Wed, 5 Mar 2014 14:38:04 +0800 > > schrieb "Eileen(=^Ï^=)" <123784635@qq.com <mailto:123784635@qq.com> > > >: > >> This is Eileen from China SINAP. I am a beginner for openldap soft. > >> I encountered a problem in my study on two LDAP services > >> replication. I have 2 LDAP services, one name LDPA1, the other is > >> LDAP2 . I want to make them synchronously in mirror mode. But when > >> I set LDAP services rootpw both in hash, the 2 LDAP serivces canât > >> be synchronous. My question is > >> 1.ÂÂÂÂÂ if I set my rootpw in hash, my bindmethod must be SASL? If > >> I must use sasl method, can I put the sasl service in the same ldap > >> service? If bindmethod=sasl then what is the saslmech should be? > >> 2.ÂÂÂÂÂ If I change to sasl method, do I need change my database > >> record? > > > > In order to use sasl, passwords must be cleartext and you should > > configure an apropriate authz-regexp, see man slapd.conf(5) You may > > use any sasl mechanism that you sasl framework provides. > > [...] > > To be more precise: In order to use password-based SASL mechs the > passwords have to be stored in clear-text. > > Well, if working with SASL and TLS (LDAPS, StartTLS) one should > consider using client certs and SASL/EXTERNAL for replication. > > Ciao, Michael. > > > -- Dieter KlÃnter | Systemberatung GPG Key ID: E9ED159B 53Â37'09,95"N 10Â08'02,42"E |