Which also rises the Q why windows trained security ppl think such read only 
solutions are the bees knees.  ie are they blidly looking at the offering and 
saying that sounds good we'll have that without really understanding the 

Salesmen win over techies again maybe.....(story of my life)


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Simo Sorce [s...@redhat.com]
Sent: Thursday, 15 November 2012 7:36 a.m.
To: Brian Cook
Cc: Andre Rodrigues; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] replica read-only

On Wed, 2012-11-14 at 10:26 -0800, Brian Cook wrote:
> Having a read-only replica would be ideal for placement in a DMZ.  See
> active directory's read-only domain controller introduced in 2008 R2
> for just that use case.

Hi Brian,
yes we know about the DMZ use case, but that one goes beyond just the
'Read-Only' aspect. Although they call their DC a RODC, the 'ReadOnly'
part is a bit misleading. A RODC is not much about being read-only,
but more about information segregation, A RODC not only prevents
modification of a lot of data, it also is not given most of the key
material at all, requiring additional server2server protocols to deal
with proxying some of the requests when key material is not available

When people ask about read-only replicas I am interested in their use
case because it means usually they come from a setup where they have
just NIS or LDAP (and no kerberos, or kerberos is completely separated)
and used master-slave solutions.

What I try to understand is if they are asking just because they are
used to the setup or if there are actual deeper reasons for wanting a
similar setup.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to