On Wed, 2012-11-14 at 10:26 -0800, Brian Cook wrote: > Having a read-only replica would be ideal for placement in a DMZ. See > active directory's read-only domain controller introduced in 2008 R2 > for just that use case.
Hi Brian, yes we know about the DMZ use case, but that one goes beyond just the 'Read-Only' aspect. Although they call their DC a RODC, the 'ReadOnly' part is a bit misleading. A RODC is not much about being read-only, but more about information segregation, A RODC not only prevents modification of a lot of data, it also is not given most of the key material at all, requiring additional server2server protocols to deal with proxying some of the requests when key material is not available locally. When people ask about read-only replicas I am interested in their use case because it means usually they come from a setup where they have just NIS or LDAP (and no kerberos, or kerberos is completely separated) and used master-slave solutions. What I try to understand is if they are asking just because they are used to the setup or if there are actual deeper reasons for wanting a similar setup. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
