26 messages in net.java.dev.opends.usersRe: [OpenDS-users] True read-only rep...| From | Sent On | Attachments |
|---|---|---|
| Ragnar Sundblad | Sep 25, 2009 4:46 pm | |
| Daniel Schwager | Sep 26, 2009 11:07 am | |
| Ragnar Sundblad | Sep 26, 2009 1:21 pm | |
| Gilles Bellaton | Sep 27, 2009 11:45 pm | |
| Gilles Bellaton | Sep 28, 2009 12:37 am | |
| Ragnar Sundblad | Sep 28, 2009 3:08 am | |
| Ludovic Poitou | Sep 28, 2009 6:02 am | |
| Ragnar Sundblad | Sep 28, 2009 12:20 pm | |
| Anil | Sep 28, 2009 11:30 pm | |
| Gilles Bellaton | Sep 28, 2009 11:38 pm | |
| Ragnar Sundblad | Sep 29, 2009 2:43 am | |
| Gilles Bellaton | Sep 29, 2009 3:15 am | |
| Anil | Sep 29, 2009 9:59 am | |
| Gilles Bellaton | Sep 29, 2009 12:02 pm | |
| Ragnar Sundblad | May 4, 2010 2:00 pm | |
| Gilles Bellaton | May 5, 2010 12:23 am | |
| Ernest Mueller | May 5, 2010 9:30 am | |
| Ragnar Sundblad | May 5, 2010 10:32 am | |
| Gilles Bellaton | May 6, 2010 12:46 am | |
| Ragnar Sundblad | May 6, 2010 11:56 am | |
| Gilles Bellaton | May 7, 2010 12:00 am | |
| Mathieu Marie | May 7, 2010 7:32 am | |
| Ernest Mueller | May 7, 2010 1:22 pm | |
| Ragnar Sundblad | May 7, 2010 2:16 pm | |
| Ragnar Sundblad | May 7, 2010 3:00 pm | |
| Mathieu Marie | May 10, 2010 1:57 am |
| Subject: | Re: [OpenDS-users] True read-only replicas | |
|---|---|---|
| From: | Anil (repl...@gmail.com) | |
| Date: | Sep 28, 2009 11:30:27 pm | |
| List: | net.java.dev.opends.users | |
I hope I am understanding your question properly, but can't you just setup a firewall that allows for outgoing connections (on the master -> replica) but disallow all incoming connections (replica->master)? That way if the read only replica gets compromized, it can't write to the original master. The firewall rules on the master would block it.
Of course I am a little rusty on how the replication protocol works, in terms of all the TCP connections that may be involved, so I could be wrong.
On Fri, Sep 25, 2009 at 4:47 PM, Ragnar Sundblad <rag...@csc.kth.se> wrote:
Is there any way to ensure that replication is only made in one direction by the replication servers?
This is my reasoning:
For some applications you want to have extra local replicas for performance reasons, say for a mail transfer agent where you could have a replica on the very same machine.
If the directory is used for a user account database ("passwd"), a not to unusual scenario, the directory servers need to hold the highest security classing, as a breach into the account database quite likely means that anything or everything in your entire system could be compromised.
This also means that if you replicate to/from/with the mail server replica, and that machine gets compromised, your entire system is open.
Therefore, you would like to be ably to sync data only to the mail server replica and never allow any data to flow back from it.
Thanks for any insights!
/ragge