[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Partial replication



Andrew Findlay wrote:
On Wed, Mar 31, 2010 at 08:43:19AM +0200, Zdenek Styblik wrote:

How about to refuse rights to the syncrepl user?
Actually, you could apply this to the whole tree. Just allow read to DNs
you want to replicate. So, let's say you use cn=mirrorA,dc=domain,dc=tld
for replication, then allow this cn=mirrorA to read only
o=support,dc=example,dc=com and o=location_A,dc=example,dc=com, but nowhere
else.

I have used that technique for a fairly complex design with a central
office and many small satellites. It works OK *provided* you never change
the list of entries that can be seen by the replicas. The syncrepl
system has no way to evaluate the effect of an ACL change (and probably
no way to know that one has happenned).

In this case it may be better to set up multiple replication agreements
to cover the multiple subtrees required at the slave server. That would
also make it possible to chain or refer queries for the rest of the
DIT back to the master.

Multiple agreements with the same provider won't work, since there will only be one contextCSN sent from the master. After the first consumer runs, the second one will assume it is up to date.

The correct solution here is to use a extended filter with dnSubtreeMatch on each desired branch.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/