[389-users] How do read-only consumers work?
rmeggins at redhat.com
Thu Feb 9 18:38:25 UTC 2012
On 02/09/2012 11:37 AM, Groten, Ryan wrote:
> What if the clients are external (along with the consumer) and can't
> follow the referral? Ideally the read-only replica is put in place
> outside a firewall, then it is allowed to talk directly to the master
> (clients are not allowed). This would prevent having to allow X
> number of clients to connect directly to a master directory server.
If they can't follow the referral, they will get an error.
> If it's not possible to control which updates are allowed and which
> aren't, is there a way to disable updates (from the read-only to the
> master) entirely?
There are no updates from the read-only to the master. There are only
updates from clients.
> This wouldn't be ideal because it complicates the environment for
> users (ie: don't change your password in external facing zones because
> it won't be reflected internally), but prevents an external intrusion
> from affecting internal.
See also http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Thursday, February 09, 2012 11:27 AM
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* Groten, Ryan
> *Subject:* Re: [389-users] How do read-only consumers work?
> On 02/09/2012 11:24 AM, Groten, Ryan wrote:
> Hi all,
> I'm testing out setting up 2 read-only consumers (each matches 1 of 2
> multi-masters). Seems to be working fine, but I'm just trying to wrap
> my head around what's happening when changes are made:
> Have 2 multi-master Directory Servers (184.108.40.206) setup and running
> Create another DS, set Replication to "dedicated consumer"
> Create a replication agreement from 1 of the multi-masters to this
> Modify an entry from the consumer
> Change is made on the read-only server and on the multi-masters
> There's no replication agreement going FROM the consumer to the
> master, but I see changes on the master side anyways. Is the consumer
> sending a request with the change to the master, who then makes the
> change and replicates it back to the consumer?
> No. The database state on the consumers are set to "referral on
> update". This means that when a update request is received on the
> consumer, it sends back to the client a referral to one of the
> masters. If you are using a "smart" client like the console, it will
> automatically follow the referral for you.
> If the above is true, then how would I go about doing something like this:
> The goal I'm trying to achieve is I want to put some read-only DS in
> an external zone. In theory I don't think the read-only's should be
> able to modify the masters for security reasons (ie: if someone
> external compromises the external DS, they shouldn't be able to delete
> all the entries in the internal). However, having the option to allow
> certain changes from the external into internal may be useful (maybe
> allowing password changes from the read-only to the master or something).
> That would be tricky to implement
> This communication, including any attached documentation, is intended
> only for the person or entity to which it is addressed, and may
> contain confidential, personal and/or privileged information. Any
> unauthorized disclosure, copying, or taking action on the contents is
> strictly prohibited. If you have received this message in error,
> please contact us immediately so we may correct our records. Please
> then delete or destroy the original transmission and any subsequent reply.
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the 389-users