[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: refreshAndPersit vs. ACLs

To: Norbert Klasen <norbert@burgundy.dyndns.org>
Subject: Re: refreshAndPersit vs. ACLs
From: Howard Chu <hyc@symas.com>
Date: Tue, 24 Oct 2006 11:05:03 -0700
Cc: openldap-software@openldap.org
In-reply-to: <86CEE43E0CC9F0E8C448D1C0@MC02I174>
References: <86CEE43E0CC9F0E8C448D1C0@MC02I174>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060911 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Norbert Klasen wrote:

Hi, we want entries to be replicated to a public slave, only if they have an attribute worldreadable=TRUE.
So I've setup an ACL on the master which basically is like
access to * filter=(worldreadable=FALSE)
    by * none
access to *
    by * read
Thus, the consumer only sees entries it is allowed to replicate.
Now if an entry's worldreadable attribute is changed from TRUE to false, this modification will not propagate to the consumer and the entry stays visible. However, with refreshOnly this 'lost' entry is detected and removed (syncrepl_del_nonpresent).

You should include the filter in your consumer's search spec in order to get these changes propagated immediately.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- refreshAndPersit vs. ACLs
  - From: Norbert Klasen <norbert@burgundy.dyndns.org>

Prev by Date: Re: refreshAndPersit vs. ACLs
Next by Date: back-perl bind oddity
Index(es):
- Chronological
- Thread