Re: Configure replication without a plaintext password.
Thank you for sharing the test case, SASL/EXTERNAL is working.
RE: Configure replication without a plaintext password.
Thank you, it is working by enabling bindmethod=sasl and saslmech=external in olcSyncrepl configuration.
Re: Configure replication without a plaintext password.
--On Friday, March 8, 2024 5:42 PM + mbala...@opentext.com wrote: How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOW hsw==" format. Does olcSyncrepl accepts password in {SSHA256} format? You will need to use a passwordless SASL mechanism, as others have noted. If you peruse the test suite, you will see that test068-sasl-tls-external configures SASL/EXTERNAL certificate authentication in an OpenLDAP server. I use SASL/EXTERNAL certificate authentication in my replication setup. Regards, Quanah
RE: Configure replication without a plaintext password.
Hi mbalakri, May I politely suggest that you try it yourself and see? Chris Paul | https://www.rexconsulting.net > -Original Message- > From: mbala...@opentext.com > Sent: Friday, March 8, 2024 10:56 AM > To: openldap-technical@openldap.org > Subject: Re: Configure replication without a plaintext password. > > Christopher Paul, > https://www.openldap.org/faq/data/cache/1504.html, are you talking about > this configuration?
Re: Configure replication without a plaintext password.
Christopher Paul, https://www.openldap.org/faq/data/cache/1504.html, are you talking about this configuration?
Re: Configure replication without a plaintext password.
Using X.509 (sasl external) is super easy (once you figure it out, like a lot of this stuff), and is nice because you are not relying on a KDC, and no passwords need displayed in your syncrepl configs. From: brendan kearney Sent: Friday, March 8, 2024 10:09 AM To: Ben Poliakoff Cc: mbala...@opentext.com ; openldap-technical@openldap.org Subject: Re: Configure replication without a plaintext password. Ben, I would like to use GSSAPI for my replication. Would you be willing to share how you went about it? Thanks, Brendan
Re: Configure replication without a plaintext password.
Ben, I would like to use GSSAPI for my replication. Would you be willing to share how you went about it? Thanks, Brendan On Fri, Mar 8, 2024, 1:05 PM Ben Poliakoff wrote: > You definitely won't be able to use a password hash as a credential for > syncrepl. A hash is a one way function so you can't readily drive the > password from it (except via exhaustive brute force). > > To avoid storing a clear text password in your config, you'll need to use > another mechanism such as GSSAPI. That's what I use in my installations. > x509 certificates/keys might be another option. > > All of the options are more complicated that using a plain text password, > but they're also bit more secure. > > Ben > > On Fri, Mar 8, 2024, 9:43 AM wrote: > >> How to configure olcSyncrepl without a plaintext password? I tried using >> credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" >> format. Does olcSyncrepl accepts password in {SSHA256} format? >> >
Re: Configure replication without a plaintext password.
You definitely won't be able to use a password hash as a credential for syncrepl. A hash is a one way function so you can't readily drive the password from it (except via exhaustive brute force). To avoid storing a clear text password in your config, you'll need to use another mechanism such as GSSAPI. That's what I use in my installations. x509 certificates/keys might be another option. All of the options are more complicated that using a plain text password, but they're also bit more secure. Ben On Fri, Mar 8, 2024, 9:43 AM wrote: > How to configure olcSyncrepl without a plaintext password? I tried using > credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" > format. Does olcSyncrepl accepts password in {SSHA256} format? >
Configure replication without a plaintext password.
How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?