Re: delta-syncrepl and acl limitation

[Howard Chu <hyc@symas.com>]

COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
> Hello,
>
> Le 23.10.2008 17:00,>  Pierangelo Masarati (par Internet) a écrit  :
> > COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
> >
> > > I use openldap 2.3.39.
> > >
> > > The Openldap admin guide indicates that (in chapter 15 for the
> > > openldap 2.3 and 17.2.1 for 2.4) :
> > > "Syncrepl supports both partial and sparse replications. The shadow
> > > DIT fragment is defined by a general search criteria consisting of
> > > base, scope, filter, and attribute list. The replica content is also
> > > subject to the access privileges of the bind identity of the syncrepl
> > > replication connection."
> [...]
> > > With delta-syncrepl, is it possible to do partial replication on slave
> > > with ACL limitation on master  ?
> > I don't see any ACL, nor a base/scope/filter restriction in your
> > configuration.  Can you please point our what is the exact issue you're
> > seeing?
>
> I come back with a simplified version of my ACL for which I have also
> the problem. With This ACL and with delta-syncrepl :
>    - when I start the slave with an empty base, all work fine : just
> entries readable on the master are replicated.
>    - when I modify an entry on the master which is not readable by the
> slave, I have the following message on the slave :
> Nov  3 11:31:17 ldapdist23-ida01 slapd[27784]: syncrepl_message_to_op:
> rid 001 be_modify
> uid=hercule.butto,ou=ser3,ou=ser2,ou=ser1,ou=ser,ou=foo,ou=organisation,dc=my,dc=domain
> (32)
>
> ------------------------------------------------------------------------
> ACL on the master :
>
> access to dn.subtree="cn=monitor"
>           by peername.ip=127.0.0.1 read
>           by * none
>
> access to dn.subtree="cn=accesslog"
>           by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read
>           by dn.regex="cn=sync\..*,ou=adm,ou=ressources,dc=my,dc=domain" read
>           by
> dn.regex="cn=sync\..*,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
> read
>           by * none
>
> access to dn.base="" by * read
>
> access to dn.sub="ou=Test-P1,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain"
>       by
> dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
> peername.ip=192.168.251.207 read
>       by * break
>
> access to dn.sub="ou=P2,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain"
>       by
> dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
> peername.ip=192.168.251.207 read
>       by * break
>
> access to
> dn.sub="ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
>       by
> dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
> peername.ip=192.168.251.207 read
>       by * break
>
>
> access to dn.sub="ou=OH,ou=foo,ou=organisation,dc=my,dc=domain"
>             filter="(|(cn=*P2*)(cn=*Test-P1*))"
>       by
> dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
> peername.ip=192.168.251.207 read
>       by * break
>
> access to *
>       by
> dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain"
> peername.ip=192.168.251.207 none
>       by * break
>
> access to attrs=userPassword
>           by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write
>           by anonymous auth
>           by self write
>           by * none
>
> access to *
>           by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write
>           by * read
> ------------------------------------------------------------------------

Since you're using delta-syncrepl, you have to set corresponding ACLs on the 
log DB in order to prevent the consumer from seeing the entries you don't want 
it to access.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/