[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: quick question about a slave openldap server
- To: Andreas Hasenack <andreas@conectiva.com.br>
- Subject: Re: quick question about a slave openldap server
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 02 Apr 2002 09:59:48 +0200
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <20020328131946.GA3770@conectiva.com.br>
- Organization: LDAP/Kerberos expert wannabe
- References: <20020326140432.GB15877@conectiva.com.br> <877kny6v34.fsf@papadoc.bayour.com> <20020328131946.GA3770@conectiva.com.br>
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
>>>>> "Andreas" == Andreas Hasenack <andreas@conectiva.com.br> writes:
Andreas> Em Wed, Mar 27, 2002 at 01:42:07PM +0100, Turbo
Andreas> Fredriksson escreveu:
>> If you have the slave read-only, NO modification is possible,
>> only the replication daemon can write to it...
Andreas> I couldn't reproduce this, I set readonly to yes and the
Andreas> updatedn couldn't write to it anymore... This with
Andreas> openldap-2.0.22.
Then the bug isn't fixed (YET!?!?)
Andreas> Could you confirm this? Setting "readonly yes" on the
Andreas> slave server and updatedn will still be able to write to
Andreas> it?
I set the slave to 'readonly no' "a long time ago" because of the bug...
I have instead put some very limiting ACL's to make sure that only the
updatedn can write to the slave...
----- s n i p -----
access to attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAlternateAddress,mailHost,mailQuota,trustModel,accessTo,uidNumber,gidNumber,homeDirectory,homePostalAddress,mobile,labeledURI,homePhone,userPassword,ldapPassword,clearTextPassword
by dn="uid=turbo.+\+realm=BAYOUR.COM" read
by dn="uid=replicator.+\+realm=BAYOUR.COM" write
by users read
by * none
access to *
by dn="uid=turbo.+\+realm=BAYOUR.COM" read
by dn="uid=replicator.+\+realm=BAYOUR.COM" write
by * read
----- s n i p -----
I should really remove the last 'by * read' and the 'by users read' but...