Stop Master servers and set nsslapd-encryptionalgorithm.  The allowed value is AES or 3DES.
   dn: cn=changelog5,cn=config
   [...]
   nsslapd-encryptionalgorithm: AES

De: Rich Megginson <rmeggins@redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51@yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34

On 06/04/2013 01:26 PM, Denise Cosso wrote:

Hi, Rich CentOS release 6.3 (Final) 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64 389-ds-1.2.2-1.el6.noarch 389-dsgw-1.1.10-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-1.2.10.2-20.el6_3.x86_64

As far as replication goes - you will need to use a security layer (SSL, TLS, or GSSAPI) to protect the clear text password on the wire

As far as encrypting it in the changelog - not sure

Denise --- Em ter, 4/6/13, Rich Megginson <rmeggins@redhat.com> escreveu: De: Rich Megginson <rmeggins@redhat.com> Assunto: Re: [389-users] changelog Para: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Cc: "Denise Cosso" <guanaes51@yahoo.com.br> Data: Terça-feira, 4 de Junho de 2013, 16:11 On 06/04/2013 12:39 PM, Denise Cosso wrote: Hi, Description of problem: When a userPassword is changed in a server with changelog, the hashed password is logged and also a cleartext pseudo-attribute version. It looks like this: change:: replace: userPassword userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q== - replace: unhashed#user#password unhashed#user#password: secret12 This unhashed version is used in winsync where the cleartext version of the password must be written to the AD. Now if the DS is involved in replication with another DS, the change will be replayed exactly as it is logged to the other DS replicas, including the cleartext pseudo-attribute password. What platform?  What version of 389-ds-base are you using? thanks, Denise -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users