[Date Prev][Date Next] [Chronological] [Thread] [Top]

Making contextCSN, entryCSN visible only to sync user?

To: openldap-technical@openldap.org
Subject: Making contextCSN, entryCSN visible only to sync user?
From: Karsten Heymann <karsten.heymann@gmail.com>
Date: Tue, 2 Oct 2018 11:40:52 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Ymukj71pTdgkpLSLbeTT+SPeeEZ2/rktIdWC4LDDrdQ=; b=JFgqmZHWPyqzTu9vP6S7WXsP6piEQa9k6eGRsx97Da/tAmo2bPZbS1LlDAgsukkoYQ PFm/PwK85a2sBGsy5bNjy0zyfmDxTDdiZCeBxWD8b30Y9mHKc+qGW+iSyCU/ATRk7X6E xU1m4HMtSRR9b51OMmITu+zBXon8nlSfTQCWu+zZBmUmNVpMirj9mV/FPPPEV7FPmxIX N/VXHd3Qi13vhaa0UXBtYY6EsF5JT2B5TOZ4PKtsdszUu+F0gBGLnPF4BbK4hsjNjOCb IKi/9fVOuMQhJWksTEUzqpZstEg6dwzKp4yH1tcTWCQchZMNLtjXP/+r1x/iLcVsm8mo z5TA==

Hi,

I wonder if it would be harmful to modify our slapd acls so that only
the  user used for syncrepl replication can view the
contextCSN/entryCSN attributes on the master servers. We're
considering this to prevent unintended partial replication (for
example without password fields) in case there is a misconfiguration
and the slave comes as another user/anomymous. Ideally I would block
anonymous access to our database completely but we have to update a
lot of services until this can be achieved. Does this idea make sense
or am I missing something?

Best regards
Karsten

Follow-Ups:
- Re: Making contextCSN, entryCSN visible only to sync user?
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Q: Renewing certificates online
Next by Date: Re: Q: Renewing certificates online
Index(es):
- Chronological
- Thread