On Sat, 21 Apr 2007, Quanah Gibson-Mount wrote:
...
It seems to work ok, but I don't like the idea of having plain text
password on the Host2's slapd.conf.
Is SASL the only sensible way to go here, security-wise?
You could use SASL/EXTERNAL (cert auth) certainly... I'll note that
"interval" is not a valid parameter for "refreshAndPersist", I suggest
looking at the "retry" parameter and going back over the documentation.
Of course, the credentials are still on the machine, just in a separate,
multikilobyte file. While that's less likely to be accidentally observed
(unlike a password that can be read over the shoulder of a sysadmin), it
may be more difficult (or just more work) to revoke if it is stolen than a
simple password. If you go this route, I would suggest that you test and
document locally the procedure for adding host2's cert to the CRL on
host1.
Philip Guenther
Sendmail, Inc.
