--On Thursday, October 12, 2023 4:11 PM +0000 Marc <[email protected]>
wrote:
I am trying to create an OpenLDAP master/slave solution with syncrepl,
but I have not been successful so far.
I followed the suggestions of this site, with another sync password:
https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave-
replication.html
One thing I made different, on the master server, I created the
replication user with a userPassword: in SSHA-Format instead of clear
text.
I have clear text (older os), maybe that is it?
If a password is set using the LDAPv3 password modify extended operation,
then the server will hash it. If the password is changed using an
ldapmodify operation or an ldapadd operation, and it is in cleartext, the
server will not hash it UNLESS ppolicy is also active on the server and it
has been configured to intercept and hash passwords cleartext passwords.
See the slapo-ppolicy man page on how to configure tihs.
For the rest of the questions, I advise reading the OpenLDAP admin guide
and not following instructions on random websites which are often incorrect.
I'd also note that OpenLDAP offers many secure password hashing mechanisms
as the default SSHA is not considered secure. I've been moving to ARGON2
generally. You would need to know if the provider of your OpenLDAP
packages included argon2 support in their build.
--Quanah
