[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Making contextCSN, entryCSN visible only to sync user?
- To: openldap-technical@openldap.org
- Subject: Making contextCSN, entryCSN visible only to sync user?
- From: Karsten Heymann <karsten.heymann@gmail.com>
- Date: Tue, 2 Oct 2018 11:40:52 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Ymukj71pTdgkpLSLbeTT+SPeeEZ2/rktIdWC4LDDrdQ=; b=JFgqmZHWPyqzTu9vP6S7WXsP6piEQa9k6eGRsx97Da/tAmo2bPZbS1LlDAgsukkoYQ PFm/PwK85a2sBGsy5bNjy0zyfmDxTDdiZCeBxWD8b30Y9mHKc+qGW+iSyCU/ATRk7X6E xU1m4HMtSRR9b51OMmITu+zBXon8nlSfTQCWu+zZBmUmNVpMirj9mV/FPPPEV7FPmxIX N/VXHd3Qi13vhaa0UXBtYY6EsF5JT2B5TOZ4PKtsdszUu+F0gBGLnPF4BbK4hsjNjOCb IKi/9fVOuMQhJWksTEUzqpZstEg6dwzKp4yH1tcTWCQchZMNLtjXP/+r1x/iLcVsm8mo z5TA==
Hi,
I wonder if it would be harmful to modify our slapd acls so that only
the user used for syncrepl replication can view the
contextCSN/entryCSN attributes on the master servers. We're
considering this to prevent unintended partial replication (for
example without password fields) in case there is a misconfiguration
and the slave comes as another user/anomymous. Ideally I would block
anonymous access to our database completely but we have to update a
lot of services until this can be achieved. Does this idea make sense
or am I missing something?
Best regards
Karsten