On Wed, 2012-11-14 at 10:26 -0800, Brian Cook wrote:
> Having a read-only replica would be ideal for placement in a DMZ.  See
> active directory's read-only domain controller introduced in 2008 R2
> for just that use case.

Hi Brian,
yes we know about the DMZ use case, but that one goes beyond just the
'Read-Only' aspect. Although they call their DC a RODC, the 'ReadOnly'
part is a bit misleading. A RODC is not much about being read-only,
but more about information segregation, A RODC not only prevents
modification of a lot of data, it also is not given most of the key
material at all, requiring additional server2server protocols to deal
with proxying some of the requests when key material is not available
locally.

When people ask about read-only replicas I am interested in their use
case because it means usually they come from a setup where they have
just NIS or LDAP (and no kerberos, or kerberos is completely separated)
and used master-slave solutions.

What I try to understand is if they are asking just because they are
used to the setup or if there are actual deeper reasons for wanting a
similar setup.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to