> On 1 Feb 2021, at 23:35, Eugen Lamers <eugen.lam...@br-automation.com> wrote: > > Hi William, > it's an old thread, but it's mine, so I will give an update to the situation > and a follow-up question. > We changed from StartTLS on 389 to SSL on 636 some time ago. Trying to > reconsider the topic we found that there is no plaintext password sent via > network between the replicants, which was the case in the StartTLS on 389 > scenario. This would reduce the problem with plaintext password for the > replication manager to the storage, mainly the dse.ldif, I think.
To be sure, I'd need to see your configured replication agreement to understand how it's been configured to authenticate. Provided you are using SSL (LDAPS) and simple bind, then the password *is* sent to the other server, but it's inside of TLS so it is secure. > We would be glad if you could confirm this thought. It would save us from > trying again the use of client auth for replication which hadn't been > successful yet. > Kind regards, — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
