[Freeipa-users] replica read-only
Steven Jones
Steven.Jones at vuw.ac.nz
Thu Nov 15 20:34:52 UTC 2012
Hi,
Which also rises the Q why windows trained security ppl think such read only solutions are the bees knees. ie are they blidly looking at the offering and saying that sounds good we'll have that without really understanding the issues....
Salesmen win over techies again maybe.....(story of my life)
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com]
Sent: Thursday, 15 November 2012 7:36 a.m.
To: Brian Cook
Cc: Andre Rodrigues; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] replica read-only
On Wed, 2012-11-14 at 10:26 -0800, Brian Cook wrote:
> Having a read-only replica would be ideal for placement in a DMZ. See
> active directory's read-only domain controller introduced in 2008 R2
> for just that use case.
Hi Brian,
yes we know about the DMZ use case, but that one goes beyond just the
'Read-Only' aspect. Although they call their DC a RODC, the 'ReadOnly'
part is a bit misleading. A RODC is not much about being read-only,
but more about information segregation, A RODC not only prevents
modification of a lot of data, it also is not given most of the key
material at all, requiring additional server2server protocols to deal
with proxying some of the requests when key material is not available
locally.
When people ask about read-only replicas I am interested in their use
case because it means usually they come from a setup where they have
just NIS or LDAP (and no kerberos, or kerberos is completely separated)
and used master-slave solutions.
What I try to understand is if they are asking just because they are
used to the setup or if there are actual deeper reasons for wanting a
similar setup.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list