[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: syncrepl with filter question
Ralph Rößner wrote:
> Hello list,
>
> I have noticed (as of 2.4.7) an interaction of searchAndPersist
> syncrepl, search filters, and access rules that looks weird to me.
> Before I call it a bug (and submit to ITS) I'd like to ask whether I'm
> not just missing the point and everything is working as intended.
>
> So here is the situation: We replicate just part of the provider data by
> annotating the objects to replicate with an extra replication info
> attribute. Access to that attribute is restricted. Now when an object is
> change, we observe this: If the change is made by a user who has read
> access to the replication info attribute then the change is replicated.
> Otherwise it is not. It appears that the replication filter is evaluated
> using the access rights of the user making the modification, not those
> of the replication user.
>
> If someone can tell me that this is not a problem because ... whatever
> reason then I'm interested to know. Otherwise I'll pack up configs,
> logs, etc. and file a bug report.
Please check after applying this patch:
diff -u -r1.215 syncprov.c
--- ./servers/slapd/overlays/syncprov.c 10 Feb 2008 23:19:43 -0000 1.215
+++ ./servers/slapd/overlays/syncprov.c 7 Mar 2008 23:30:34 -0000
@@ -1209,7 +1209,7 @@
}
/* check if current o_req_dn is in scope and matches filter */
- if ( fc.fscope && test_filter( op, e, ss->s_op->ors_filter ) ==
+ if ( fc.fscope && test_filter( ss->s_op, e, ss->s_op->ors_filter ) ==
LDAP_COMPARE_TRUE ) {
if ( saveit ) {
sm = op->o_tmpalloc( sizeof(syncmatches), op->o_tmpmemctx );
If it fixes your issue, please file an ITS.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------