[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Making contextCSN, entryCSN visible only to sync user?

To: Karsten Heymann <karsten.heymann@gmail.com>, openldap-technical@openldap.org
Subject: Re: Making contextCSN, entryCSN visible only to sync user?
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 02 Oct 2018 10:45:59 -0700
Content-disposition: inline
In-reply-to: <CAL017hD0yvaMf8d9Vz8JjSzedC76n0YHP8fCTEK-nPsdJM6TbA@mail.gmail.com>
References: <CAL017hD0yvaMf8d9Vz8JjSzedC76n0YHP8fCTEK-nPsdJM6TbA@mail.gmail.com>

--On Tuesday, October 02, 2018 12:40 PM +0200 Karsten Heymann<karsten.heymann@gmail.com> wrote:

Hi,

I wonder if it would be harmful to modify our slapd acls so that only
the  user used for syncrepl replication can view the
contextCSN/entryCSN attributes on the master servers. We're
considering this to prevent unintended partial replication (for
example without password fields) in case there is a misconfiguration
and the slave comes as another user/anomymous. Ideally I would block
anonymous access to our database completely but we have to update a
lot of services until this can be achieved. Does this idea make sense
or am I missing something?

Replication requires explicit configuration -- Is it a realistic concernthat a replica would be brought up with a broken configuration that is setto bind anonymously or as a non-replication specific user? That would seemlike a serious process flaw.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Making contextCSN, entryCSN visible only to sync user?
  - From: Karsten Heymann <karsten.heymann@gmail.com>

Prev by Date: Re: Q: Renewing certificates online
Next by Date: RE24 testing call (2.4.47) LMDB RE0.9 testing call (0.9.23)
Index(es):
- Chronological
- Thread