Hi, Which also rises the Q why windows trained security ppl think such read only solutions are the bees knees. ie are they blidly looking at the offering and saying that sounds good we'll have that without really understanding the issues....
Salesmen win over techies again maybe.....(story of my life) regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of Simo Sorce [[email protected]] Sent: Thursday, 15 November 2012 7:36 a.m. To: Brian Cook Cc: Andre Rodrigues; [email protected] Subject: Re: [Freeipa-users] replica read-only On Wed, 2012-11-14 at 10:26 -0800, Brian Cook wrote: > Having a read-only replica would be ideal for placement in a DMZ. See > active directory's read-only domain controller introduced in 2008 R2 > for just that use case. Hi Brian, yes we know about the DMZ use case, but that one goes beyond just the 'Read-Only' aspect. Although they call their DC a RODC, the 'ReadOnly' part is a bit misleading. A RODC is not much about being read-only, but more about information segregation, A RODC not only prevents modification of a lot of data, it also is not given most of the key material at all, requiring additional server2server protocols to deal with proxying some of the requests when key material is not available locally. When people ask about read-only replicas I am interested in their use case because it means usually they come from a setup where they have just NIS or LDAP (and no kerberos, or kerberos is completely separated) and used master-slave solutions. What I try to understand is if they are asking just because they are used to the setup or if there are actual deeper reasons for wanting a similar setup. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
