[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7019) attribute auditContext should not get replicated

> michael@stroeder.com wrote:
>> Full_Name:
>> Version: 2.4.26
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> It seems that attribute auditContext is replicated to consumers if
>> there's an
>> accesslog DB configured at the provider. IMO this does not make sense
>> since the
>> accesslog DB is not replicated and one might not want to load
>> slapo-accesslog
>> module at all in the consumer's config.
>> In a 2-way MMR setup with accesslog DB attached to both master providers
>> the
>> auditContext contains two values for auditContext and even the same one.
> Since a syncrepl operation is a regular LDAP search, the provider sends
> everything that matches the search request. Probably we should be
> filtering
> out DSA-specific opattrs at the consumer side.

Agree.  User-wise, there could be a (set of) configuration option(s) that
result in a safe default filtering, while allowing "expert" users (or for
experimental reasons) to replicate things arbitrarily.

1) protect auditContext with ACLs at the producer's side
2) document the need to use filter="(!(objectClass=auditContext))" (or
whatever is appropriate) when configuring the consumer.