Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
G
GoikLectures
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Locked files
Deploy
Releases
Container Registry
Model registry
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Goik Martin
GoikLectures
Commits
19cdfbd4
Commit
19cdfbd4
authored
8 years ago
by
Goik Martin
Browse files
Options
Downloads
Patches
Plain Diff
Modified ldap replication configuration
parent
6359f7d2
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
Doc/Sdi/ldap.xml
+22
-35
22 additions, 35 deletions
Doc/Sdi/ldap.xml
with
22 additions
and
35 deletions
Doc/Sdi/ldap.xml
+
22
−
35
View file @
19cdfbd4
...
...
@@ -667,16 +667,24 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>
<para>
Depending on your database backend choice you may have to alter
the
<link
xlink:href=
"http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap-olc"
>
installation
procedure
</link>
by replacing
<quote>
bdb
</quote>
with
<quote>
mdb
</quote>
accordingly both on the provider and the consumer side.
</para>
xlink:href=
"https://wiki.debian.org/LDAP/OpenLDAPSetup#with_cn.3Dconfig-1"
>
installation
procedure
</link>
by replacing
<quote>
hdb
</quote>
with
<quote>
mdb
</quote>
accordingly both on the provider and the consumer side. For (yet)
unknown reasons the
<property>
olcSyncProvConfig
</property>
<acronym>
objectclass
</acronym>
is absent on our systems. You may safely
omit configuring the related parameters
<property>
olcSyncProvConfig
</property>
and
<property>
olcSyncProvConfig
</property>
.
</para>
<para>
Using Apache Directory Studio may be used in favour of
<command>
ldapmodify
</command>
and friends.
</para>
<para>
Hints:
</para>
<orderedlist>
<listitem>
<para>
Activating the syncprov overlay requires an
additional
<property>
olcModuleLoad
</property>
value:
</para>
<para>
Activating the
<code>
syncprov
</code>
overlay requires an
additional
<property>
olcModuleLoad
</property>
value:
</para>
<programlisting
language=
"none"
>
dn: cn=module{0},cn=config
objectClass: olcModuleList
...
...
@@ -687,42 +695,21 @@ olcModulePath: /usr/lib/ldap</programlisting>
</listitem>
<listitem>
<para/>
<para>
You may want to add the value
<code>
sync
</code>
to the
<property>
olcLogLevel
</property>
attribute. This will create related
messages in
<filename>
/var/log/syslog
</filename>
.
</para>
</listitem>
</orderedlist>
<para>
Check for provider changes being propagated to the
consumer.
</para>
<para>
The current configuration does have two serious security
flaws:
</para>
<orderedlist>
<listitem>
<para>
The replication is based on the provider's
<code>
cn=admin,dc=hdm-stuttgart,dc=de
</code>
account having maximum
privileges. Read access is however sufficient. Thus in a
professional environment you will have to define an appropriate
<code>
syncrepl
</code>
user having just enough (read)
privileges.
</para>
</listitem>
<listitem>
<para>
The credentials are being sent in clear text and are thus
subject to network sniffing (e.g. by using
<link
xlink:href=
"https://www.wireshark.org"
>
Wireshark
</link>
). In a
professional setup you will have to configure
<xref
linkend=
"glo_TLS"
/>
for encrypting your communication
channel.
</para>
</listitem>
</orderedlist>
<para>
The
<link
xlink:href=
"https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-provider-configuration"
>
installation
procedure
</link>
does have a security drawback: It uses the provider's
<code>
cn=admin,dc=hdm-stuttgart,dc=de
</code>
account. Read access is
however sufficient. Thus define a suitable replication user for this
purpose being endowed with just sufficient privileges:
</para>
<para>
The current configuration contains a serious security flaw: The
credentials are being sent in clear text and are thus subject to network
sniffing (e.g. by using
<link
xlink:href=
"https://www.wireshark.org"
>
.Wireshark
</link>
). In a
professional setup you will have to configure
<xref
linkend=
"glo_TLS"
/>
for encrypting your communication channel.
</para>
</section>
<section
xml:id=
"sdiSectLdapByJava"
>
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment