Re: Antw: Re: Denying access to syncrepl consumere during initial DIT content load

[Christian Kratzer <ck-lists@cksoft.de>]

Hi,

On Mon, 24 Mar 2014, Howard Chu wrote:

> Christian Kratzer wrote:
> > Hi,
> >
> > On Mon, 24 Mar 2014, Ulrich Windl wrote:
> > > Hi!
> > >
> > > Stupid question: If syn is based on entryUUID and entryCSN and objects are
> > > transferred in transactions, how can an obsolete or incomplete object 
> > > exist on
> > > a server that is to be synced?
> >
> > if for example the acl on the provider does not show you all attributes
> > because the acl is based on data not yet synced than the provider will
> > give the consumer incomplete objects.
>
> That makes no sense, since ACLs on the provider aren't dependent on data from 
> any other server. I.e., whether the data is synced or not on a particular 
> consumer won't change the evaluation of ACLs on the provider.

In my situation the provider itself is still syncing up and the acl is
dependent on the full DIT being in place.

> Hm... Unless of course, your ACLs depend on entries living in a back-ldap 
> instance that points at a particular consumer. That would be quite bizarre.

I have following:

olcLimits:
  group/groupOfNames/member="cn=replicators,ou=serviceaccounts,dc=cksoft,dc=net"
  size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited

olcAccess: to *
  by group/groupOfNames/member="cn=replicators,ou=serviceaccounts,dc=cksoft,dc=net" read


and following group in the DIT with the mapped sasl identities of the servers:

 dn: cn=replicators,ou=ServiceAccounts,dc=cksoft,dc=net
 objectClass: groupOfNames
 cn: replicators
 member: cn=ldap1.cksoft.de,ou=ServiceAccounts,dc=cksoft,dc=net
 member: cn=ldap2.cksoft.de,ou=ServiceAccounts,dc=cksoft,dc=net
 ...
 ...
 ...

The situation I am getting at is:
1. provider A has the data
1. consumer B is empty and starts to sync up from provider A
2. consumer C is empty and starts up to sync from B.
3. Above group will is not yet be populated on B as it is still empty.
4. B will not apply above olcLimit clause to the connection C is on
5. B will not show all entries or all attributes to C as the acl will not match


I can see above happening quite easily in a 3 or 4 server multimaster cluster when one of them is beeing resynced.

Denying client connections in the initial sync phase is the trivial fix that will enforce consistency.

Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/