[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SyncREPL Behaves Inconsistently (ITS#3262)



> 255 will be good enough to trace the problem.

Will do this evening.

> One question: do you have group acl configured ?

Yes, all DSAs are configured with...

./configure --prefix=/opt/dsa --sysconfdir=/etc
--localstatedir=/var/run/slapd --libexecdir=/opt/dsa/libexec
--libdir=/opt/dsa/lib --mandir=/opt/dsa/man --sbindir=/opt/dsa/sbin
--datadir=/opt/dsa/share --localstatedir=/opt/dsa/var
--includedir=/opt/dsa/include --enable-aclgroups --enable-spasswd
--enable-modules --enable-shared --enable-dynamic --with-tls
--with-cyrus-sasl --enable-crypt --enable-ipv6=yes --enable-aci
--enable-bdb --enable-rewrite --enable-ldap --enable-meta
--enable-monitor --enable-ldbm --enable-sql --enable-lmpasswd
--with-dyngroup --with-proxycache

We are currently testing with "access to * by * write", to see if that
helped the problem (it didn't).  Prior to that we were testing with the
following ACL as our first rule....

access to dn.subtree="o=Morrison Industries,c=US"
  by dn.base="cn=Administrator,o=Morrison Industries,c=US" write
  by group/groupOfUniqueNames/uniqueMember="cn=DSA
Administrators,ou=ACLGroups,o=Morrison Industries,c=US" write
  by group/groupOfUniqueNames/uniqueMember="cn=DSA
Replicators,ou=ACLGroups,o=Morrison Industries,c=US" write
  by group/groupOfUniqueNames/uniqueMember="cn=Full SyncRepl
Consumers,ou=ACLGroups,o=Morrison Industries,c=US" read
  by * break

...with all the SyncREPL consumer's bind dns in "cn=Full SyncRepl
Consumers,ou=ACLGroups,o=Morrison Industries,c=US"