[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl not propagating changes

On 22/08/2012 12:00, Rein Tollevik wrote:
On 22.08.12 10:46, Mark Coetser wrote:
On 22/08/2012 10:39, Howard Chu wrote:
Mark Coetser wrote:

on some of the consumers, I have multiple syncrepl configs so that I
replicate specific subdivision data to those servers.

That is not supported. You can only use multiple consumers in the same
database if they are all pointing at different providers (and each of
providers uses a unique serverID).

Can I split them into separate databases on the consumer? Or whats the
correct way of doing what I am trying to achieve?

Use a single syncrepl stanza on these consumers too, replicating your
toplevel cn=company dn. Add acl's on the provider which limits the user
these consumers binds as to only see those sub-trees you wish them to see.



Please could someone confirm that these acls would be secure, I am trying to allow services like pam/nss on the provider to still function and have access to the entire tree, then allow the replica user from the consumer to see the base of the tree and the whole of the subdivision tree including userPassword,shadowLastChange, also could someone assist with an example of a regex acl that I could use to say that "cn=replica,*" has read access to everything in that users subtree?

access to attrs=userPassword,shadowLastChange
	by dn.base="cn=admin,dc=company" write
	by dn.base="cn=replica,dc=subdivision,dc=company" read
	by anonymous auth
	by self write
	by * none

access to dn.base=""
	by peername.regex=127\.0\.0\.1 read
	by * none

access to dn.base="dc=company"
	by dn.base="cn=replica,dc=subdivision,dc=company" read

access to dn.subtree="dc=subdivision,dc=company"
	by dn.base="cn=replica,dc=subdivision,dc=company" read

access to *
	by dn.base="cn=admin,dc=company" write
	by peername.regex=127\.0\.0\.1 read
	by * none

Thank you,

Mark Adrian Coetser