(I take this point to openldap-technical@openldap.org since it discusses OpenLDAP-specific things.) Howard Chu wrote: > The discussion of caching here > http://www.ietf.org/id/draft-bannister-dbis-mapping-02.txt is one such example > - this is purely a client-side implementation issue. Also you give nscd as an > example, and nscd has been thoroughly discredited and is well known to be > unsuitable for real use. Critical deployments can use a local LDAP server with > a replica of the central data, to avoid error-prone caching implementations. > This is a commonly recommended approach when using OpenLDAP nssov, for example. I really wonder how this replication approach works in practice without disclosing too much data on a system more exposed to attacks from the outside. In theory one could implement partial replication based on systems's bind identity. But in practice I have some doubts because in a really paranoid setup you don't even want to disclose replication meta data and intermediate entries of the tree structure. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature