[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SyncRepl - no write access

Turbo Fredriksson wrote:

"Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:

Quanah> If you make the syncRepl updatedn match the rootdn on the Quanah> replica, there is no need for any ACL related to syncrepl.

This work 'like a charm' (well, not really but...).

I now have the same DN as 'rootdn', 'syncrepl:updatedn' and 'syncrepl:binddn'
(is there something wrong with this!?). The object gets updated, BUT (!)
the OpenLDAPaci attribute(s) is removed!

Is SyncRepl and ACI's mutually exclusive?

The DN I'm using (rootdn etc) DOES have read access to the attribute on the
provider, so it's not that...

o, but the OpenLDAPACI attribute is operaational, and syncrepl by defaultsearches for "* structuralObjectClass entryCSN", so you need to add that attr explicitly using the "attrs" option of the "syncrepl" statement. Something like

   attrs="* structuralObjectClass entryCSN OpenLDAPACI"

should work. There was a discussion some time ago about what should the default be. I guess a resonable choice could be to add the "OpenLDAPACI" attribute by default if slapd is built with --enable-aci, since ACIs are essentially intended to allow access control replication; I would disagree since ACIs impact security, and I'd prefer a wise administrator to configure their replication intentionally, not just because it's the default.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497