[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication: 1 DN for all slaves.



On Friday, 15 June 2007, lauro@npd.ufsc.br wrote:
>   Hi,
>
>   Do you think it's a bad practice to have one DN shared between all
> slaves?

Yes.

> Of course this DN is different from the rootdn. My ideas why 
> it's not:
>
>   - I have to worry about one pair dn/pass, I still have to worry
> about security on all slave server machines, that's the main problem,
> I know, but there are so many passwords, minimize that can be good.

But, if you have an account for each slave, and one slave is compromised, you 
can just remove its account (or remove it from your replicas group), instead 
of having to change passwords all over. If you are using syncrepl, and use 
the same account on all slaves, how much effort is there to change passwords 
if one slave is compromised? How much effort is there if they have unique 
accounts?

>   - If someone manages to get the DN pass, he/she can write to the
> master (since on the master that DN has write access to "*"

This doesn't have to be the case.

> , then all 
> the slaves, even the ones not hacked, will get that new compromised
> tree. 


>   Did I miss anything?

You didn't say which replication method you are using (slurpd or syncrepl).


-- 
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases

Attachment: pgptn2AsMxwdZ.pgp
Description: PGP signature