[Date Prev][Date Next]
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On Tue, 15 Jan 2013 13:37:06 GMT email@example.com wrote
> On 01/15/2013 01:56 PM, firstname.lastname@example.org wrote:
> > On Tue, Jan 15, 2013 at 12:18:59PM +0000, email@example.com wrote:
> >> Full_Name:
> >> Version: RE24 6f33e2c
> >> OS:
> >> URL:
> >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
> >> It seems that operational attributes generated by slapo-allowed are
> >> replicated. >
> > Works as designed. These attributes are directoryOperation, not
> > DSA-specific.
> I see the point; since they're generated by the overlay in response to
> search operations, either they should not be replicated, or replication
> should accept them.
> Their value depends on ACLs, so in order to reflect ACLs on a specific
> DSA they should be generated; however, I concur ACLs should not depend
> on the specific DSA of a replication setup.
The values depend on local ACLs *and* current authz-DN.
=> These attributes MUST NOT be replicated.