[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: delta-syncrepl and acl limitation
- To: openldap-software@openldap.org
- Subject: Re: delta-syncrepl and acl limitation
- From: "COMBES Julien - CETE Lyon/DI/ET/PAMELA" <julien.combes@i-carre.net>
- Date: Mon, 03 Nov 2008 11:16:01 +0100
- In-reply-to: <49009172.50303@sys-net.it>
- Organization: CETE Lyon/DI/ET/PAMELA
- References: <49002E4E.20203@i-carre.net> <49009172.50303@sys-net.it>
Hello,
Le 23.10.2008 17:00, > Pierangelo Masarati (par Internet) a écrit :
COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the
openldap 2.3 and 17.2.1 for 2.4) :
"Syncrepl supports both partial and sparse replications. The shadow
DIT fragment is defined by a general search criteria consisting of
base, scope, filter, and attribute list. The replica content is also
subject to the access privileges of the bind identity of the syncrepl
replication connection."
[...]
With delta-syncrepl, is it possible to do partial replication on slave
with ACL limitation on master ?
I don't see any ACL, nor a base/scope/filter restriction in your
configuration. Can you please point our what is the exact issue you're
seeing?
I come back with a simplified version of my ACL for which I have also
the problem. With This ACL and with delta-syncrepl :
- when I start the slave with an empty base, all work fine : just
entries readable on the master are replicated.
- when I modify an entry on the master which is not readable by the
slave, I have the following message on the slave :
Nov 3 11:31:17 ldapdist23-ida01 slapd[27784]: syncrepl_message_to_op:
rid 001 be_modify
uid=hercule.butto,ou=ser3,ou=ser2,ou=ser1,ou=ser,ou=foo,ou=organisation,dc=my,dc=domain
(32)
------------------------------------------------------------------------
ACL on the master :
access to dn.subtree="cn=monitor"
by peername.ip=127.0.0.1 read
by * none
access to dn.subtree="cn=accesslog"
by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read
by dn.regex="cn=sync\..*,ou=adm,ou=ressources,dc=my,dc=domain" read
by
dn.regex="cn=sync\..*,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
read
by * none
access to dn.base="" by * read
access to dn.sub="ou=Test-P1,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain"
by
dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
peername.ip=192.168.251.207 read
by * break
access to dn.sub="ou=P2,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain"
by
dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
peername.ip=192.168.251.207 read
by * break
access to
dn.sub="ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
by
dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
peername.ip=192.168.251.207 read
by * break
access to dn.sub="ou=OH,ou=foo,ou=organisation,dc=my,dc=domain"
filter="(|(cn=*P2*)(cn=*Test-P1*))"
by
dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
peername.ip=192.168.251.207 read
by * break
access to *
by
dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
peername.ip=192.168.251.207 none
by * break
access to attrs=userPassword
by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write
by * read
------------------------------------------------------------------------
ACL on the slave :
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by * read
------------------------------------------------------------------------
> Also, I note that "updatedn" is not a valid parameter of the
> "syncrepl" statement.
Ok, Thanks. I have corrected that.
Regards,
Julien