[Date Prev][Date Next] [Chronological] [Thread] [Top]

replicating central NSS data (was: DBIS - new IETF drafts)

(I take this point to openldap-technical@openldap.org since it discusses
OpenLDAP-specific things.)

Howard Chu wrote:
> The discussion of caching here
> http://www.ietf.org/id/draft-bannister-dbis-mapping-02.txt is one such example
> - this is purely a client-side implementation issue. Also you give nscd as an
> example, and nscd has been thoroughly discredited and is well known to be
> unsuitable for real use. Critical deployments can use a local LDAP server with
> a replica of the central data, to avoid error-prone caching implementations.
> This is a commonly recommended approach when using OpenLDAP nssov, for example.

I really wonder how this replication approach works in practice without
disclosing too much data on a system more exposed to attacks from the outside.

In theory one could implement partial replication based on systems's bind
identity. But in practice I have some doubts because in a really paranoid
setup you don't even want to disclose replication meta data and intermediate
entries of the tree structure.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature