Discussion:
syncrepl without cleartext password.
(too old to reply)
Prakash Padadune
2015-10-27 04:03:53 UTC
Permalink
I want to implement syncrepl without having cleartext password in the
slapd.conf.
How this can be achieved?

~~~
*Prakash*
Michael Ströder
2015-10-27 09:53:01 UTC
Permalink
Post by Prakash Padadune
I want to implement syncrepl without having cleartext password in the
slapd.conf.
How this can be achieved?
Use TLS with client certs and SASL/EXTERNAL. Of course this needs key files in
clear-text on the disk if you want to start slapd unattended.

Ciao, Michael.
Christian Kratzer
2015-10-27 16:52:01 UTC
Permalink
Content preview: Hi, On Tue, 27 Oct 2015, Prakash Padadune wrote: > I want
to implement syncrepl without having cleartext password in the > slapd.conf.
How this can be achieved? [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: cksoft.de]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hi,
I want to implement syncrepl without having cleartext password in the
slapd.conf.
How this can be achieved?
authenticate using client certificates and sasl_method = external

You will need the private key files on the clients though.

olcSyncrepl: {0}rid=001 provider=ldap://ldap1.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +"

olcSyncrepl: {1}rid=002 provider=ldap://ldap2.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce
rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +"

then map your certificate identity to an entry in your tree that has appropriate permissions:

olcAuthzRegexp: {0}"cn=([^,]*)," "cn=$1,ou=servers,dc=foo,dc=bar"


Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ***@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
Loading...