Hi,
Do you think it's a bad practice to have one DN shared between all slaves? Of course this DN is different from the rootdn. My ideas why it's not:
- I have to worry about one pair dn/pass, I still have to worry about security on all slave server machines, that's the main problem, I know, but there are so many passwords, minimize that can be good.
- If someone manages to get the DN pass, he/she can write to the master (since on the master that DN has write access to "*", then all the slaves, even the ones not hacked, will get that new compromised tree. If replication were not automatic, having one dn/pass to each slave would allow me to have some slaves with a "good" tree on the event someone gets the dn/pass of a slave, and then writing on the master would not affect all slaves. Since it is automatic.. and I have no reason to make happen by human interaction, one slave affected means all slaves and the server affected, even with different DN's/passwords.
Did I miss anything?
thanks,
Lauro
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
On Friday, 15 June 2007, lauro@npd.ufsc.br wrote:
Hi,
Do you think it's a bad practice to have one DN shared between all slaves?
Yes.
Of course this DN is different from the rootdn. My ideas why it's not:
- I have to worry about one pair dn/pass, I still have to worry
about security on all slave server machines, that's the main problem, I know, but there are so many passwords, minimize that can be good.
But, if you have an account for each slave, and one slave is compromised, you can just remove its account (or remove it from your replicas group), instead of having to change passwords all over. If you are using syncrepl, and use the same account on all slaves, how much effort is there to change passwords if one slave is compromised? How much effort is there if they have unique accounts?
- If someone manages to get the DN pass, he/she can write to the
master (since on the master that DN has write access to "*"
This doesn't have to be the case.
, then all the slaves, even the ones not hacked, will get that new compromised tree.
Did I miss anything?
You didn't say which replication method you are using (slurpd or syncrepl).
Quoting Buchan Milne bgmilne@staff.telkomsa.net:
On Friday, 15 June 2007, lauro@npd.ufsc.br wrote:
Hi,
Do you think it's a bad practice to have one DN shared between all slaves?
Yes.
Of course this DN is different from the rootdn. My ideas why it's not:
- I have to worry about one pair dn/pass, I still have to worry
about security on all slave server machines, that's the main problem, I know, but there are so many passwords, minimize that can be good.
But, if you have an account for each slave, and one slave is compromised, you can just remove its account (or remove it from your replicas group), instead of having to change passwords all over. If you are using syncrepl, and use the same account on all slaves, how much effort is there to change passwords if one slave is compromised? How much effort is there if they have unique accounts?
- If someone manages to get the DN pass, he/she can write to the
master (since on the master that DN has write access to "*"
This doesn't have to be the case.
Yes, I got confused. My configuration is ok, no write access to the replica DN on the master, just the slave. This changes everything.
, then all the slaves, even the ones not hacked, will get that new compromised tree
Did I miss anything?
You didn't say which replication method you are using (slurpd or syncrepl).
I use slurpd.
-- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
openldap-software@openldap.org
-
Buchan Milne -
lauro@npd.ufsc.br