On 1 Feb 2021, at 23:35, Eugen Lamers
<eugen.lamers(a)br-automation.com> wrote:
Hi William,
it's an old thread, but it's mine, so I will give an update to the situation and
a follow-up question.
We changed from StartTLS on 389 to SSL on 636 some time ago. Trying to reconsider the
topic we found that there is no plaintext password sent via network between the
replicants, which was the case in the StartTLS on 389 scenario. This would reduce the
problem with plaintext password for the replication manager to the storage, mainly the
dse.ldif, I think.
To be sure, I'd need to see your configured replication agreement to understand how
it's been configured to authenticate.
Provided you are using SSL (LDAPS) and simple bind, then the password *is* sent to the
other server, but it's inside of TLS so it is secure.
We would be glad if you could confirm this thought. It would save us
from trying again the use of client auth for replication which hadn't been successful
yet.
Kind regards,
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia