[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: çå: çå: ååï mirror mode question
Hi,
On Wed, 9 Apr 2014, çæç wrote:
Hi Christian,
Thank you very much~:)
Can I understand I should change my config as below?
<snipp/>
rootpw {SSHA}miU6lvcqHnP+bAlZz4DruvOm8DeEczQR
<snipp/>
syncrepl rid=001
provider=ldap://other side ip
bindmethod=simple
binddn="cn=manager,dc=xxx,dc=xxx"
credentials=sillypassword
yes above is the idea. You can hash the rootpw but your replication partners will of course need the cleartext password so they can authenticte.
Use slappasswd to generate the hash from your own secret password.
If yes, I have a question, other people can see my rootpw, this is not safe, isnât it ?
Other people cannot decode the password from the hash. So you rootpw is safe on the provider node.
There is now way to secure the credentials on the consumer node as it will have to know the password in order to authenticate. Take a moment to think about how having a hashed password on the consumer would allow it to authenticate. And if it would how would that stop somebody from grabbing the hashed password and using it if that would work.
If you do not like to have cleartext credentials you could of course use SASL method=external with client certificates as has been suggested before. You could then have a configuration without any cleartext passwords. But of course you would need to have the client certifcate and corresponding private key on the consumer node. In that case this could be stolen.
Using a separate dn or client certificates for the replication user is good practice so you can limit the respective privileges to read only.
You could even use an acl to further limit client ip address from where the consumers can connect.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/