[Date Prev][Date Next] [Chronological] [Thread] [Top]

Replication and acl: moddn operation problem.



Hi.

I have replication setup .
Full replication of o=company, but user for replication (uid=replica,ou=users,o=company) is limited by ACL.

Master configuration:

access to dn.subtree="ou=users,o=company"  attrs=userPassword
       by anonymous auth

access to dn.base="o=company"
       by dn.exact="uid=replica,ou=users,o=company" read

access to dn.subtree="ou=dev,o=company"
       by dn.exact="uid=replica,ou=users,o=company" read

 #######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company

overlay syncprov


Slave configuration:
#######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company

syncrepl rid=001
                provider=ldap://ro1.devel.ldap.company.ru:389
                type=refreshAndPersist
                retry="5 10 300 +"
                searchbase="o=company"
                scope=sub
                schemachecking=off
                starttls=critical
                bindmethod=simple
                tls_reqcert=never
                binddn="uid=replica,ou=users,o=company"
                credentials="password"


Replication works.

When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server
e.g.  operation on master server:

dn: ou=groups2,ou=dev,o=company
changetype: moddn
newrdn: ou=groups2
deleteoldrdn: 1
newsuperior: ou=corp,o=company

This object is not deleted  and contextCSN is not updated on the replica.

Is it expected behavior or not?

--
Konstantin Menshikov