Re: Replication: 1 DN for all slaves.

[lauro@npd.ufsc.br]

Quoting Buchan Milne <bgmilne@staff.telkomsa.net>:

> On Friday, 15 June 2007, lauro@npd.ufsc.br wrote:
> >   Hi,
> >
> >   Do you think it's a bad practice to have one DN shared between all
> > slaves?
>
> Yes.
>
> > Of course this DN is different from the rootdn. My ideas why
> > it's not:
> >
> >   - I have to worry about one pair dn/pass, I still have to worry
> > about security on all slave server machines, that's the main problem,
> > I know, but there are so many passwords, minimize that can be good.
>
> But, if you have an account for each slave, and one slave is compromised, you
> can just remove its account (or remove it from your replicas group), instead
> of having to change passwords all over. If you are using syncrepl, and use
> the same account on all slaves, how much effort is there to change passwords
> if one slave is compromised? How much effort is there if they have unique
> accounts?
>
> >   - If someone manages to get the DN pass, he/she can write to the
> > master (since on the master that DN has write access to "*"
>
> This doesn't have to be the case.

 Yes, I got confused. My configuration is ok, no write access to the  
replica DN on the master, just the slave. This changes everything.

> > , then all
> > the slaves, even the ones not hacked, will get that new compromised
> > tree
>
>
> >   Did I miss anything?
>
> You didn't say which replication method you are using (slurpd or syncrepl).

 I use slurpd.

> --
> Buchan Milne
> ISP Systems Specialist - Monitoring/Authentication Team Leader
> B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
> http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.