[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication: 1 DN for all slaves.



Quoting Buchan Milne <bgmilne@staff.telkomsa.net>:

On Friday, 15 June 2007, lauro@npd.ufsc.br wrote:
  Hi,

  Do you think it's a bad practice to have one DN shared between all
slaves?

Yes.

Of course this DN is different from the rootdn. My ideas why
it's not:

  - I have to worry about one pair dn/pass, I still have to worry
about security on all slave server machines, that's the main problem,
I know, but there are so many passwords, minimize that can be good.

But, if you have an account for each slave, and one slave is compromised, you can just remove its account (or remove it from your replicas group), instead of having to change passwords all over. If you are using syncrepl, and use the same account on all slaves, how much effort is there to change passwords if one slave is compromised? How much effort is there if they have unique accounts?

  - If someone manages to get the DN pass, he/she can write to the
master (since on the master that DN has write access to "*"

This doesn't have to be the case.

Yes, I got confused. My configuration is ok, no write access to the replica DN on the master, just the slave. This changes everything.



, then all
the slaves, even the ones not hacked, will get that new compromised
tree


Did I miss anything?

You didn't say which replication method you are using (slurpd or syncrepl).


I use slurpd.


-- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases




---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.