Skip to content
Snippets Groups Projects
Commit 19cdfbd4 authored by Goik Martin's avatar Goik Martin
Browse files

Modified ldap replication configuration

parent 6359f7d2
No related branches found
No related tags found
No related merge requests found
......@@ -667,16 +667,24 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>
<para>Depending on your database backend choice you may have to alter
the <link
xlink:href="http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap-olc">installation
procedure</link> by replacing <quote>bdb</quote> with <quote>mdb</quote>
accordingly both on the provider and the consumer side.</para>
xlink:href="https://wiki.debian.org/LDAP/OpenLDAPSetup#with_cn.3Dconfig-1">installation
procedure</link> by replacing <quote>hdb</quote> with <quote>mdb</quote>
accordingly both on the provider and the consumer side. For (yet)
unknown reasons the <property>olcSyncProvConfig</property>
<acronym>objectclass</acronym> is absent on our systems. You may safely
omit configuring the related parameters
<property>olcSyncProvConfig</property> and
<property>olcSyncProvConfig</property>.</para>
<para>Using Apache Directory Studio may be used in favour of
<command>ldapmodify</command> and friends.</para>
<para>Hints:</para>
<orderedlist>
<listitem>
<para>Activating the syncprov overlay requires an additional
<property>olcModuleLoad</property> value:</para>
<para>Activating the <code>syncprov</code> overlay requires an
additional <property>olcModuleLoad</property> value:</para>
<programlisting language="none">dn: cn=module{0},cn=config
objectClass: olcModuleList
......@@ -687,42 +695,21 @@ olcModulePath: /usr/lib/ldap</programlisting>
</listitem>
<listitem>
<para/>
<para>You may want to add the value <code>sync</code> to the
<property>olcLogLevel</property> attribute. This will create related
messages in <filename>/var/log/syslog</filename>.</para>
</listitem>
</orderedlist>
<para>Check for provider changes being propagated to the
consumer.</para>
<para>The current configuration does have two serious security
flaws:</para>
<orderedlist>
<listitem>
<para>The replication is based on the provider's
<code>cn=admin,dc=hdm-stuttgart,dc=de</code> account having maximum
privileges. Read access is however sufficient. Thus in a
professional environment you will have to define an appropriate
<code>syncrepl</code> user having just enough (read)
privileges.</para>
</listitem>
<listitem>
<para>The credentials are being sent in clear text and are thus
subject to network sniffing (e.g. by using <link
xlink:href="https://www.wireshark.org">Wireshark</link>). In a
professional setup you will have to configure <xref
linkend="glo_TLS"/> for encrypting your communication
channel.</para>
</listitem>
</orderedlist>
<para>The <link
xlink:href="https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-provider-configuration">installation
procedure</link> does have a security drawback: It uses the provider's
<code>cn=admin,dc=hdm-stuttgart,dc=de</code> account. Read access is
however sufficient. Thus define a suitable replication user for this
purpose being endowed with just sufficient privileges:</para>
<para>The current configuration contains a serious security flaw: The
credentials are being sent in clear text and are thus subject to network
sniffing (e.g. by using <link
xlink:href="https://www.wireshark.org">.Wireshark</link>). In a
professional setup you will have to configure <xref linkend="glo_TLS"/>
for encrypting your communication channel.</para>
</section>
<section xml:id="sdiSectLdapByJava">
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment