[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication security (i)

To: jhalfpenny@excite.com
Subject: Re: replication security (i)
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 14 Nov 2005 11:50:46 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20051111091051.194E5BD5F@xprdmailfe14.nwk.excite.com>
Organization: Telkom Internet
References: <20051111091051.194E5BD5F@xprdmailfe14.nwk.excite.com>
User-agent: KMail/1.8.92

On Friday 11 November 2005 11:10, John Halfpenny wrote:
> thanks for replying.
>
> that makes sense. let me see if i have the logic right.
>
> the reason my updates are being processed on the slave is because i'm not
> using a specific replication account as my updatedn. i am in fact using the
> manager dn, which explains why updates to it are being accepted when i
> connect directly to the slave with the manager's credentials.

Yes, since you are connecting as the only DN the slave will accept changes 
from, the updatedn. The fact that the same DN is being used for updatedn and 
rootdn causes the confusion on the slave slapd's part as to who it should 
take changes from and who not.

> presumably then i need to change my slave acls

ACLs are not necessary to prevent writes, but ACLs will be necessary to allow 
the updatedn to write to the slave. It appears convenient to use the rootdn 
on the slave as updatedn as well, but just adding "by $updatedn write" (where 
$updatedn is something like dn.exact="cn=updatedn,dc=mycompany,dc=com" or 
group.exact="cn=replicators,dc=mycompany,dc=com") to each ACL clause will 
allow the updatedn to write, so it is not necessary to be lazy and use the 
rootdn.

> to allow only the 
> replication account write access

A slave (with an updatedn configured) will reject any changes by any DN that 
is not the updatedn, irrespective of the ACLs.

> , which will force any update requests to 
> be handed up to the master.

No, only a referral will be returned to the client that is trying to write to 
the slave. What the client does with the referral is entirely up to the 
client. The slave will not "hand" anything to the master.

> if that is right then the reason i confused the issue was to simply copy
> the config file from the master to the slave without setting separate acls
> on it.

Just don't use the same value for the rootdn 
and the updatedn on any slave, give the updatedn write access to everything 
it should be replicating on the slave, and everything should work.

Of course, you need to have the updatedn on the slave, so you'll have to 
slapadd it (or add it while you're still abusing the rootdn).

Also, sync replication removes a lot of this complexity (well, the replicadn 
needs unlimited read access to the master, but that is easier to accomplish), 
you may consider trying it if you can run 2.3.x ...

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpcK4mDCdO4y.pgp
Description: PGP signature

References:
- Re: replication security (i)
  - From: "John Halfpenny" <jhalfpenny@excite.com>

Prev by Date: Sync consumer crashed when provider add a entry?
Next by Date: Re: Re[2]: openldap-server-2.2.29: multimaster support
Index(es):
- Chronological
- Thread