[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated



On Tue, 15 Jan 2013 12:56:35 GMT hyc@symas.com wrote
> > It seems that operational attributes generated by slapo-allowed are
> > replicated. 
>
> Works as designed. These attributes are directoryOperation, not DSA-specific.
> Closing this ITS.

The fact that slapo-allowed in contrib/ does not declare the attribute types as
DSA-specific does not mean that they are not DSA-specific. I guess MS AD does
not care about subschema DSA-specific or not so we have to apply common sense
here.

The allowed* attr values are supposed to be generated based on the local access
control configuration. Since with OpenLDAP local configuration and therefore
local ACLs can differ on different replicas these attrs MUST NOT be replicated.

Please re-open the ITS.

Ciao, Michael.