[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recommended strategy for replicating cn=config database



On Dienstag 12 Juli 2011 19:38:57 Jonathan Underwood wrote:
> Hi,
[..]
> where rid=001 corresponds to the entry:
> 
> olcSyncRepl: rid=001
>   provider=ldap://auth0.domain
>   bindmethod=sasl saslmech=gssapi
>   searchbase="cn=config"
>   type=refreshAndPersist
>   retry="30 30 300 +" timeout=1
> 
> The reason this isn't working is clear: slapd on the consumer is not
> binding as the rootdn of the cn=config tree, and so therefore cannot
> search that database.
> 
> I am not sure what the best fix is for this, particularly from a
> security point-of-view. My first thought was to add an ACL to the
> cn=config database such as olcAccess: to * by users read by * none,
> but this then opens up the cn=config tree to be readable by any
> authenticated user, which is somewhat undesirable.
Why not use a more restrictive ACL that only gives the identities read 
access that really need it? E.g. by using the 
UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth DN form that slapd 
generates when SASL is used. (If you plan add more mirrormode nodes, it 
might probably be better to create a group for them) 
 
> Does anyone have a suggestion as to a good strategy to allow cn=config
> replication in this situation?
> 
> Thanks in advance,
> Jonathan.

Ralf