[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Syncrepl and mmr



What we've decided to do is to back out of the TLS and get Syncrepl/MMR working then implement TLS.

Going to keep sharp objects away from my wrists.

-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com] 
Sent: Friday, January 31, 2014 2:41 PM
To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org
Subject: Re: Syncrepl and mmr

Borresen, John - 0442 - MITLL wrote:
> I'm not trying to implement partial replication.

Missed the smiley?

Your *first* ACL should give read access to the whole tree to the group of
replicas and then pass on all other access checking to the subsequent ACLs (by
* break).

Something like:

limits
  group="cn=replicas,dc=example,dc=com"
    time=unlimited
    size=unlimited

access to
  dn.subtree="ou=ampua"
    by group="cn=replicas,dc=example,dc=com" read
    by * break

Ciao, Michael.

> -----Original Message-----
> From: Michael Ströder [mailto:michael@stroeder.com] 
> Sent: Friday, January 31, 2014 2:15 PM
> To: Quanah Gibson-Mount; Borresen, John - 0442 - MITLL; openldap-technical@openldap.org
> Subject: Re: Syncrepl and mmr
> 
> Quanah Gibson-Mount wrote:
>> --On Friday, January 31, 2014 1:20 PM -0500 "Borresen, John - 0442 - MITLL"
>> <John.Borresen@ll.mit.edu> wrote:
>>
>>> Thanks, Quanah
>>>
>>> Not sure what you meant by " Well, it may not have been this issue, but
>>> it definite would become an issue then."
>>>
>>> Was what I did a good thing or not?  Curious minds want to know. <lol>
>>
>> The lack of read permissions for the replication user would absolutely be an
>> issue at some point. ;)
> 
> To put it the other way round:
> It's very hard to implement partial replication correctly. ;-}
> 
> Ciao, Michael.