On 03/07/2013 10:21 AM, Jon Detert wrote:
When setting up replication, I understand that you :
a) create a dn on the consumer to be used as the 'bind-dn' for the replica on the consumer;
b) create a replication agreement on the supplier, in which you reference the bind dn from a).
I have a couple questions about this:
1) How do you generate the hash used in the nsDS5ReplicaCredentials attribute of the supplier's replication agreement? I understand that the 389-ds-console will generate it for you, but I don't want to use the console.
Just use ldapmodify:
dn: dn of replication agreement
changetype: modify
replace: nsDS5ReplicaCredentials
nsDS5ReplicaCredentials: cleartextpassword
then the server will encrypt the password for you - the server uses a
reversible encryption, not a hash
2) Why is the hash recorded in the nsDS5ReplicaCredentials attribute of the supplier's replication agreement {DES} differently than the hash recorded in the person objectClass {SSHA} on the consumer for the dn?
Because it is a reversible encryption as opposed to something like SHA
which is a one way non-reversible hash.
3) How does the supplier authenticate to the consumer when replicating?
By default, simple bind (dn/password).
Does it pass the binddn credentials?
Yes.
If so, in what format?
Clear text.
How are they validated?
Same as any other bind request.
You can test with ldapsearch:
ldapsearch -xLLL -h consumerhost -p consumerport -D "replica bind DN" -w
"replica password" -s base -b ""
Thanks,
Jon
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
