[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7019) attribute auditContext should not get replicated



> michael@stroeder.com wrote:
>> Full_Name:
>> Version: 2.4.26
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (84.163.26.156)
>>
>>
>> It seems that attribute auditContext is replicated to consumers if
>> there's an
>> accesslog DB configured at the provider. IMO this does not make sense
>> since the
>> accesslog DB is not replicated and one might not want to load
>> slapo-accesslog
>> module at all in the consumer's config.
>>
>> In a 2-way MMR setup with accesslog DB attached to both master providers
>> the
>> auditContext contains two values for auditContext and even the same one.
>
> Since a syncrepl operation is a regular LDAP search, the provider sends
> everything that matches the search request. Probably we should be
> filtering
> out DSA-specific opattrs at the consumer side.

Agree.  User-wise, there could be a (set of) configuration option(s) that
result in a safe default filtering, while allowing "expert" users (or for
experimental reasons) to replicate things arbitrarily.

Alternatives:
1) protect auditContext with ACLs at the producer's side
2) document the need to use filter="(!(objectClass=auditContext))" (or
whatever is appropriate) when configuring the consumer.

p.