Re: SyncRepl - no write access

[Pierangelo Masarati <ando@sys-net.it>]

Turbo Fredriksson wrote:

> > > > > > "Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:
> > > > > >            
>
>    Quanah> If you make the syncRepl updatedn match the rootdn on the
>    Quanah> replica, there is no need for any ACL related to syncrepl.
>
> This work 'like a charm' (well, not really but...).
>
> I now have the same DN as 'rootdn', 'syncrepl:updatedn' and 'syncrepl:binddn'
> (is there something wrong with this!?). The object gets updated, BUT (!)
> the OpenLDAPaci attribute(s) is removed!
>
> Is SyncRepl and ACI's mutually exclusive?
>
> The DN I'm using (rootdn etc) DOES have read access to the attribute on the
> provider, so it's not that...
>  
o, but the OpenLDAPACI attribute is operaational, and syncrepl by 
defaultsearches for "* structuralObjectClass entryCSN", so you need to 
add that attr explicitly using the "attrs" option of the "syncrepl" 
statement.  Something like

   attrs="* structuralObjectClass entryCSN OpenLDAPACI"

should work.  There was a discussion some time ago about what should the 
default be.  I guess a resonable choice could be to add the 
"OpenLDAPACI" attribute by default if slapd is built with --enable-aci, 
since ACIs are essentially intended to allow access control replication; 
I would disagree since ACIs impact security, and I'd prefer a wise 
administrator to configure their replication intentionally, not just 
because it's the default.

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497