[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: quick question about a slave openldap server



>>>>> "Andreas" == Andreas Hasenack <andreas@conectiva.com.br> writes:

    Andreas> Em Wed, Mar 27, 2002 at 01:42:07PM +0100, Turbo
    Andreas> Fredriksson escreveu:
    >> If you have the slave read-only, NO modification is possible,
    >> only the replication daemon can write to it...

    Andreas> I couldn't reproduce this, I set readonly to yes and the
    Andreas> updatedn couldn't write to it anymore... This with
    Andreas> openldap-2.0.22.

Then the bug isn't fixed (YET!?!?)

    Andreas> Could you confirm this? Setting "readonly yes" on the
    Andreas> slave server and updatedn will still be able to write to
    Andreas> it?

I set the slave to 'readonly no' "a long time ago" because of the bug...

I have instead put some very limiting ACL's to make sure that only the
updatedn can write to the slave...

----- s n i p -----
access to attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAlternateAddress,mailHost,mailQuota,trustModel,accessTo,uidNumber,gidNumber,homeDirectory,homePostalAddress,mobile,labeledURI,homePhone,userPassword,ldapPassword,clearTextPassword
        by dn="uid=turbo.+\+realm=BAYOUR.COM" read
        by dn="uid=replicator.+\+realm=BAYOUR.COM" write
        by users read
        by * none

access to *
        by dn="uid=turbo.+\+realm=BAYOUR.COM" read
        by dn="uid=replicator.+\+realm=BAYOUR.COM" write
        by * read
----- s n i p -----

I should really remove the last 'by * read' and the 'by users read' but...