[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl not replicating entire tree

To: "Saket Sathe" <saket@cc.iitb.ac.in>
Subject: Re: Syncrepl not replicating entire tree
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 8 Aug 2005 11:52:54 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <42F72299.3000509@cc.iitb.ac.in>
References: <OF8F0B0741.60456E98-ON88257057.001FBEB0-88257057.001E4394@thoughtworks.com> <42F6FED7.2000707@sys-net.it> <42F70F53.6050102@cc.iitb.ac.in> <40737.131.175.154.56.1123490573.squirrel@131.175.154.56> <42F72299.3000509@cc.iitb.ac.in>
User-agent: SquirrelMail/1.4.3a-1

> Hi,
> Here are the ACLs used by the consumer.
>
> #
> # LDAP slave3 ACLs
> #
> access to attrs=userPassword,ntPassword,lmPassword
>         by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
>         by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
>         by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
>         by anonymous auth
>         by * none
>
> access to *
>         by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
>         by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
>         by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
>         by * read

... which can safely reduce to

access to attrs=userPassword,ntPassword,lmPassword
        by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
        by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
        by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
        by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
        by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
        by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
        by anonymous auth

access to *
        by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
        by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
        by * read

OK, now we see that nothing prevents from reading any object, except for
the passwords.

My concern (and my question, which you didn't answer yet) is: can the
replication identity read the missing objects from the producer?  This
involves permissions on the producer side.

My other question is: since you counted the DNs in both slapcats, can you
check if any of the entries you cannot see has "glue" objectClass?

Finally: it is not clear, from your earlier messages, if you can see the
missing entries with ldapsearch.  Can you?

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Syncrepl not replicating entire tree
  - From: Saket Sathe <saket@cc.iitb.ac.in>

References:
- Re: Syncrepl not replicating entire tree
  - From: Barrow H Kwan <bhkwan@thoughtworks.com>
- Re: Syncrepl not replicating entire tree
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Syncrepl not replicating entire tree
  - From: Saket Sathe <saket@cc.iitb.ac.in>
- Re: Syncrepl not replicating entire tree
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Problems with RootDSE and Access Controls
Next by Date: Re: Syncrepl not replicating entire tree
Index(es):
- Chronological
- Thread