On Friday, 15 June 2007, lauro@npd.ufsc.br wrote:
Hi,
Do you think it's a bad practice to have one DN shared between all
slaves?
Yes.
Of course this DN is different from the rootdn. My ideas why
it's not:
- I have to worry about one pair dn/pass, I still have to worry
about security on all slave server machines, that's the main problem,
I know, but there are so many passwords, minimize that can be good.
But, if you have an account for each slave, and one slave is compromised, you
can just remove its account (or remove it from your replicas group), instead
of having to change passwords all over. If you are using syncrepl, and use
the same account on all slaves, how much effort is there to change passwords
if one slave is compromised? How much effort is there if they have unique
accounts?
- If someone manages to get the DN pass, he/she can write to the
master (since on the master that DN has write access to "*"
This doesn't have to be the case.