Hi, If I remeber correctly, you mentioned sasl authentication. My comments on plaintext passwords are only related to sasl authentication. A sasl authentication is based on a SASL MECHANISM, as described in rfc-4422. In order to compare the sasl authentication string with the stored password value, this has to be cleartext. If your ldap operation is based on a simple bind, the stored password can, and should be, hashed.
-Dieter Am Tue, 8 Apr 2014 14:16:31 +0800 schrieb 田格瑄 <[email protected]>: > Hi Michael and Dieter, > > > > I see the below mail, can I understand only the mirror mode > replication can’t use the HASH password in rootpw, other Synchronous > replication mode(example: syncrepl proxy) can use the HASH password? > > > > Thanks and regards > > tiangexuan > > > > ------------------ 原始邮件 ------------------ > > 发件人: "Michael Ströder";<[email protected] > <mailto:[email protected]> >; > > 发送时间: 2014年3月5日(星期三) 下午4:09 > > 收件人: "Dieter Klünter"<[email protected] > <mailto:[email protected]> >; > "openldap-technical"<[email protected] > <mailto:[email protected]> >; > > 主题: Re: mirror mode & sasl question > > > > Dieter Klünter wrote: > > Am Wed, 5 Mar 2014 14:38:04 +0800 > > schrieb "Eileen(=^ω^=)" <[email protected] <mailto:[email protected]> > > >: > >> This is Eileen from China SINAP. I am a beginner for openldap > >> soft. I encountered a problem in my study on two LDAP services > >> replication. I have 2 LDAP services, one name LDPA1, the other is > >> LDAP2 . I want to make them synchronously in mirror mode. But when > >> I set LDAP services rootpw both in hash, the 2 LDAP serivces can’t > >> be synchronous. My question is > >> 1. if I set my rootpw in hash, my bindmethod must be SASL? If > >> I must use sasl method, can I put the sasl service in the same ldap > >> service? If bindmethod=sasl then what is the saslmech should be? > >> 2. If I change to sasl method, do I need change my database > >> record? > > > > In order to use sasl, passwords must be cleartext and you should > > configure an apropriate authz-regexp, see man slapd.conf(5) > > You may use any sasl mechanism that you sasl framework provides. > > [...] > > To be more precise: In order to use password-based SASL mechs the > passwords have to be stored in clear-text. > > Well, if working with SASL and TLS (LDAPS, StartTLS) one should > consider using client certs and SASL/EXTERNAL for replication. > > Ciao, Michael. > > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
