[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: refreshAndPersit vs. ACLs

To: Norbert Klasen <norbert@burgundy.dyndns.org>, openldap-software@openldap.org
Subject: Re: refreshAndPersit vs. ACLs
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Tue, 24 Oct 2006 10:33:20 -0700
Content-disposition: inline
In-reply-to: <86CEE43E0CC9F0E8C448D1C0@MC02I174>
References: <86CEE43E0CC9F0E8C448D1C0@MC02I174>

--On Tuesday, October 24, 2006 5:00 PM +0200 Norbert Klasen <norbert@burgundy.dyndns.org> wrote:

Hi,
we want entries to be replicated to a public slave, only if they have an
attribute worldreadable=TRUE.

So I've setup an ACL on the master which basically is like
access to * filter=(worldreadable=FALSE)
	by * none
access to *
	by * read
Thus, the consumer only sees entries it is allowed to replicate.

Wouldn't it be a lot easier to have that acl on your replica, so that any one binding can read it when it is true, and no one can read it when it is false? Then you can replicate it all you want, but you don't have to play games with the replication process.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- refreshAndPersit vs. ACLs
  - From: Norbert Klasen <norbert@burgundy.dyndns.org>

Prev by Date: Re: Connections pool on backend-meta and backend-ldap
Next by Date: Re: refreshAndPersit vs. ACLs
Index(es):
- Chronological
- Thread