2) I've setup a second FDS to be act as a consumer (single master
replication). I've followed the administator's documentation and set a simple
cn=replication manager, cn=config on both servers to act as the bind for replication (via
replication agreement). I've tested this and everything is working great (directory
entries, GSSAPI, etc). I would imagine that when the replication binds, the password is
sent in clear text. Is this true? If I create a new user in the cn=config and create a
new sasl mapping (uid=\1,cn=config) can I simply create a kerberos principal with the same
name and use GSSAPI for the bind? The same question as #1 above is will this session be
encrypted via GSSAPI as well?
Server to server GSSAPI does not currently work. If you don't want to
send unencrypted clear text passwords over the wire, your best bet is to
set up SSL between the servers.
Hi Richard,
I've created a CA using openssl and installed the cacert on both FDS servers.
I've then requested certificates from both servers, created certificates using the CA,
and installed. I then enabled SSL on both servers and reset them. I deleted my old
replication and created a new one that's identical except I've checked "Using
encrypted SSL connection". I'm still using a Simple Authentication with
uid=RManager,cn=config and password. The replication works great.
Is this password now sent encrypted (even though I'm not using SSL client
authentication)? I'd like to keep this as simple as possible and didn't want to
deal with client certificates at this point because I'm using GSSAPI.
Thanks again for all your help.
Regards,
Jonathan