[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication and acl: moddn operation problem.

On 25/5/2012 4:56 ÎÎ, Konstantin Menshikov wrote:

When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server

I don't know if you have followed a recent thread, but according to Howard Chu:

(quote) "Visibility changes due to ACL rules are not detected. syncprov only checks an entry against the search parameters of the original sync search operation, i.e., the base, scope, and filter. If an entry matches these params before the modification, and no longer matches after the operation, syncprov will send a delete message for that entry. (Likewise if an entry doesn't match before, but matches after, syncprov will send an Add for the entry.)"

So, based on this, the behavior you see is expected.

And another quote (by me):

"So in essence Howard says that ACL-based filtering in replication does not result in proper results to consumers.

This is tricky! (I didn't know either.) It means that we should *not* design our replication based on ACL-filtering (which, unfortunately, we have done too), but, on the contrary, that we should design our DIT so that it can cover our replication needs based on consumer base/scope/filter configuration, and we should design/adapt our ACLs with the above rule in mind. "

I thought of your case when I followed this thread, and I thought I should send you a notice.