[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: delta-syncrepl and acl limitation

COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:

I use openldap 2.3.39.

The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) :
"Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."

So, I understand that, in syncrepl, I could do a partial replication on the slave with ACL limitation on the master.

I have tried this with delta-syncrepl (with accesslog) but it doesn't seem to work with that kind of message on the slave :
slapd : syncrepl_message_to_op: rid 252 be_modify cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32)

The slave doesn't have the entry (due to ACL limitations) but see modifications on it in the accesslog base and try to synchronize the entry.

With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?

master delta-syncrepl conf :

# Accesslog
database        hdb
suffix "cn=accesslog"
rootdn "cn=accesslog"

directory       "/var/lib/ldap/accesslog"

index entryCSN,objectClass,reqEnd,reqResult,reqStart eq

overlay syncprov
syncprov-nopresent      TRUE
syncprov-reloadhint     TRUE

limits dn.regex="cn=syncuser\..*,ou=foo,ou=bar,dc=my,dc=domain"
        size.soft=unlimited size.hard=unlimited
        time.soft=unlimited time.hard=unlimited

database        hdb
suffix          "dc=my,dc=domain"
rootdn          "dc=my,dc=domain"

overlay syncprov
syncprov-checkpoint 100 10

overlay accesslog logdb "cn=accesslog" logops writes logsuccess TRUE logpurge 07+00:00 01+00:00

slave delta-syncrepl conf :

syncrepl rid=252
        retry="60 10 300 +"
updateref       ldaps://ldapmaster.my.domain

I don't see any ACL, nor a base/scope/filter restriction in your configuration. Can you please point our what is the exact issue you're seeing? Also, I note that "updatedn" is not a valid parameter of the "syncrepl" statement. You should run with -dconfig in order to track any configuration issue in your slapd.conf (OpenLDAP 2.4 would treat any misconfiguration as an error).


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it