On Friday, 15 June 2007, lauro@npd.ufsc.br wrote: > Hi, > > Do you think it's a bad practice to have one DN shared between all > slaves? Yes. > Of course this DN is different from the rootdn. My ideas why > it's not: > > - I have to worry about one pair dn/pass, I still have to worry > about security on all slave server machines, that's the main problem, > I know, but there are so many passwords, minimize that can be good. But, if you have an account for each slave, and one slave is compromised, you can just remove its account (or remove it from your replicas group), instead of having to change passwords all over. If you are using syncrepl, and use the same account on all slaves, how much effort is there to change passwords if one slave is compromised? How much effort is there if they have unique accounts? > - If someone manages to get the DN pass, he/she can write to the > master (since on the master that DN has write access to "*" This doesn't have to be the case. > , then all > the slaves, even the ones not hacked, will get that new compromised > tree. > Did I miss anything? You didn't say which replication method you are using (slurpd or syncrepl). -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
Attachment:
pgptn2AsMxwdZ.pgp
Description: PGP signature