Re: Replication and acl: moddn operation problem.

[Nick Milas <nick@eurobjects.com>]

On 25/5/2012 4:56 ÎÎ, Konstantin Menshikov wrote:

> When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server

I don't know if you have followed a recent thread, but according to 
Howard Chu:

(quote) "Visibility changes due to ACL rules are not detected. syncprov 
only checks an entry against the search parameters of the original sync 
search operation, i.e., the base, scope, and filter. If an entry matches 
these params before the modification, and no longer matches after the 
operation, syncprov will send a delete message for that entry. (Likewise 
if an entry doesn't match before, but matches after, syncprov will send 
an Add for the entry.)"

So, based on this, the behavior you see is expected.

And another quote (by me):

"So in essence Howard says that ACL-based filtering in replication does 
not result in proper results to consumers.

This is tricky! (I didn't know either.) It means that we should *not* 
design our replication based on ACL-filtering (which, unfortunately, we 
have done too), but, on the contrary, that we should design our DIT so 
that it can cover our replication needs based on consumer 
base/scope/filter configuration, and we should design/adapt our ACLs 
with the above rule in mind. "

I thought of your case when I followed this thread, and I thought I 
should send you a notice.

Regards,
Nick