--On Tuesday, October 02, 2018 12:40 PM +0200 Karsten Heymann
<[email protected]> wrote:
Hi,
I wonder if it would be harmful to modify our slapd acls so that only
the user used for syncrepl replication can view the
contextCSN/entryCSN attributes on the master servers. We're
considering this to prevent unintended partial replication (for
example without password fields) in case there is a misconfiguration
and the slave comes as another user/anomymous. Ideally I would block
anonymous access to our database completely but we have to update a
lot of services until this can be achieved. Does this idea make sense
or am I missing something?
Replication requires explicit configuration -- Is it a realistic concern
that a replica would be brought up with a broken configuration that is set
to bind anonymously or as a non-replication specific user? That would seem
like a serious process flaw.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
