[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Partial replication, remove branch

To: anax <anax@ayni.com>
Subject: Re: Partial replication, remove branch
From: jehan procaccia <jehan.procaccia@it-sudparis.eu>
Date: Tue, 20 Mar 2012 22:01:48 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <4F686BFA.7050105@ayni.com>
References: <4F47CCB1.706@it-sudparis.eu> <4F6853EE.301@it-sudparis.eu> <4F686BFA.7050105@ayni.com>
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1

Le 20/03/2012 12:37, anax a écrit :



On 03/20/2012 10:54 AM, jehan procaccia wrote:


I would like to replicate only some OUs under the baseDN ; ou=people and
ou=group,ou=system, but not the remaining of OUs below ou=system =>
ou=Hosts , ou=Networks, ou=Protocol.
How can I remove those branches to replicate ?
my actual syncrepl config that replicate all the subtree branches:
syncrepl rid=001
provider=ldaps://master.domain.fr
type=refreshAndPersist
searchbase="dc=int-evry,dc=fr"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=on
bindmethod=simple
retry="60 10 300 +"
binddn="cn=replic,ou=System,dc=int-evry,dc=fr"
credentials="secret"
updateref ldaps://master.domain.fr:636

Define the ACL for binddn="cn=replic,ou=System,dc=int-evry,dc=fr" suchthat it cannot access the ou's you don't want to sync.


suomi

Thanks, I achieved a partial replication to only wanted branches, as yousuggested by restricting ACL to the replica's account on thebranches/attributes I want.However that's not an easy config to set up , I noticed that as soon asI forgot to mention an attribute in a subtree object, all the objects inthat subtree aren't replicate, that's the same for a branches DN node ,I initially forgot the attribute associatedDomain which was part of thatobject for example, then that object node and all subtree objects belowweren't replicated .

So I ended with many more ACLs like that :

#ou=system,dc=int-evry,dc=fr BaseDN ACL to get ou=system object node
access to dn.exact="ou=system,dc=int-evry,dc=fr"
        by dn="cn=admin,dc=int-evry,dc=fr"                      write
        by dn="cn=replic,ou=System,dc=int-evry,dc=fr"             read
        by users                                                read
#Goups and associeted attributes

access to dn.subtree="ou=Group,ou=System,dc=int-evry,dc=fr"attrs=cn,sn,memberuid,member,mail,description,entry,objectclass,associatedDomain,gidNumber,ou

        by dn="cn=admin,dc=int-evry,dc=fr"                      write
        by dn="cn=replic,ou=System,dc=int-evry,dc=fr"             read
        by users                                                read

How can I check performance issue with all the ACL I added ? is there aprogram to test / bench the ACLs or optimise them ?


Thanks .

References:
- Partial replication, remove branch
  - From: jehan procaccia <jehan.procaccia@it-sudparis.eu>
- Re: Partial replication, remove branch
  - From: anax <anax@ayni.com>

Prev by Date: Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
Next by Date: OpenLDAP client and SSL handshaek
Index(es):
- Chronological
- Thread