[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl nits with operational attributes (ITS#3289)

>For the moment you can just explicitly list 
>creatorsName/CreateTimeStamp/etc in the syncrepl attrs, and omit 
>anything else.
>Perhaps we need to add a "attrs=!foo" config syntax to strip certain 
>attributes from the incoming records. I don't really like this approach 
>because it requires too much manual intervention.

Interestingly, it looks like attrs!= is already supported (see
add_replica_attrs()) but it doesn't allow per-attribute exclusions.

Per-attribute exclusion would be very useful for maintaining
attributes too expensive to replicate, such as password audit
information (eg. lastLogon, logonCount, etc).

Our password policy plugin updates these (it can even do these
on "read-only" replicas because SLAPI internal operations are
not subject to a backend's updateref). But of course as soon as
the entry is changed on the master the attribute is overwritten.

A workaround would be to explicitly list which attributes to replicate
but this is inpractical with thousands of attribute types.

-- Luke