[Date Prev][Date Next]
Re: SyncRepl - no write access
Turbo Fredriksson wrote:
o, but the OpenLDAPACI attribute is operaational, and syncrepl by
defaultsearches for "* structuralObjectClass entryCSN", so you need to
add that attr explicitly using the "attrs" option of the "syncrepl"
statement. Something like
"Quanah" == Quanah Gibson-Mount <firstname.lastname@example.org> writes:
Quanah> If you make the syncRepl updatedn match the rootdn on the
Quanah> replica, there is no need for any ACL related to syncrepl.
This work 'like a charm' (well, not really but...).
I now have the same DN as 'rootdn', 'syncrepl:updatedn' and 'syncrepl:binddn'
(is there something wrong with this!?). The object gets updated, BUT (!)
the OpenLDAPaci attribute(s) is removed!
Is SyncRepl and ACI's mutually exclusive?
The DN I'm using (rootdn etc) DOES have read access to the attribute on the
provider, so it's not that...
attrs="* structuralObjectClass entryCSN OpenLDAPACI"
should work. There was a discussion some time ago about what should the
default be. I guess a resonable choice could be to add the
"OpenLDAPACI" attribute by default if slapd is built with --enable-aci,
since ACIs are essentially intended to allow access control replication;
I would disagree since ACIs impact security, and I'd prefer a wise
administrator to configure their replication intentionally, not just
because it's the default.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497