55 lines
3.3 KiB
HTML
55 lines
3.3 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow"/>
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<title>Directory Server (LDAP) - Security considerations for replication information</title>
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
|
</head>
|
|
<body>
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
|
|
|
|
|
<a name="rzahyrepsecurity"></a>
|
|
<h3 id="rzahyrepsecurity">Security considerations for replication information</h3>
|
|
<p>Review the security considerations for the following objects:</p>
|
|
<ul>
|
|
<li>ibm-replicagroup=default: Access controls on this object control who
|
|
can view or change the replication information stored here. By default, this
|
|
object inherits the access control from it's parent. You should consider
|
|
setting access control on this object to restrict access to the replication
|
|
information. For example, you could define a group that contains users that
|
|
will be managing replication. This group could be made the owner of the "ibm-replicagroup=default"
|
|
object and other users given no access to the object.</li>
|
|
<li>cn=replication,cn=localhost: There are two security considerations for
|
|
this object:
|
|
<ul>
|
|
<li>Access control on this object controls who is allowed to view or update
|
|
objects stored here. The default access control allows anonymous users to
|
|
read most information except for passwords and requires administrator authority
|
|
to add, change, or delete objects.</li>
|
|
<li>Objects stored in "cn=localhost" are never replicated to other servers.
|
|
You can place replication credentials in this container on the server that
|
|
uses the credential and they will not be accessible to other servers. Alternately,
|
|
you might choose to place credentials under the "ibm-replicagroup=default"
|
|
object so that multiple servers share the same credentials.</li></ul></li>
|
|
<li><img src="delta.gif" alt="Start of change" />cn=IBMpolicies: You can place replication credentials in this
|
|
container, but the data in it is replicated to any consumers of the server.
|
|
Placing credentials in cn=replication, cn=localhost is considered more secure.<img src="deltaend.gif" alt="End of change" /></li></ul>
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
|
</body>
|
|
</html>
|