[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication security (i)

thanks for replying.

that makes sense. let me see if i have the logic right.

the reason my updates are being processed on the slave is because i'm not using a specific replication account as my updatedn. i am in fact using the manager dn, which explains why updates to it are being accepted when i connect directly to the slave with the manager's credentials.

presumably then i need to change my slave acls to allow only the replication account write access, which will force any update requests to be handed up to the master.

if that is right then the reason i confused the issue was to simply copy the config file from the master to the slave without setting separate acls on it.


 --- On Thu 11/10, Buchan Milne < bgmilne@staff.telkomsa.net > wrote:
From: Buchan Milne [mailto: bgmilne@staff.telkomsa.net]
To: jhalfpenny@excite.com
     Cc: openldap-software@OpenLDAP.org
Date: Thu, 10 Nov 2005 19:03:45 +0200
Subject: Re: replication security (i)

On Thursday 10 November 2005 17:48, John Halfpenny wrote:<br>> hi quanah.<br>><br>> i've been using the oreilly book on ldap admin for a bit of guidance on<br>> this, but from what i can make out any changes i make to the slave stay<br>> there and aren't redirected to the master... (with readonly turned off that<br>> is)<br><br>If you have an 'updateref' directive for the database on the slave, a <br>non-replicadn client should get a referral to the value following the <br>directive. Usually, this should point to your master.<br><br>Whether the client will chase the referral or not is up to the client.<br><br>But, your slave should not be accepting any changes not made by the replicadn.<br><br>If you are using the rootdn for the replicadn, and making changes to the slave <br>from the rootdn, it will accept them.<br><br>The replicadn should not be used for *anything* but replication, which is why <br>you should not use the rootdn (which you may use for something 
else).<br><br>> is it password related? does it make a difference which hashed password i<br>> use for the rootdn (ie. can i use the same SSHA coded password at both ends<br>> or do i have to generate them separately?)<br><br>Password hash is irrelevant.<br><br>Regards,<br>Buchan<br><br>-- <br>Buchan Milne<br>ISP Systems Specialist<br>B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)<br>Attachment: Attachment  (0.19KB)<br>

Join Excite! - http://www.excite.com
The most personalized portal on the Web!