[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl not replicating entire tree



> Hi,
> Here are the ACLs used by the consumer.
>
> #
> # LDAP slave3 ACLs
> #
> access to attrs=userPassword,ntPassword,lmPassword
>         by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
>         by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
>         by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
>         by anonymous auth
>         by * none
>
> access to *
>         by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
>         by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
>         by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>         by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
>         by * read

... which can safely reduce to

access to attrs=userPassword,ntPassword,lmPassword
        by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
        by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
        by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
        by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
        by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
        by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
        by anonymous auth

access to *
        by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
        by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
        by * read

OK, now we see that nothing prevents from reading any object, except for
the passwords.

My concern (and my question, which you didn't answer yet) is: can the
replication identity read the missing objects from the producer?  This
involves permissions on the producer side.

My other question is: since you counted the DNs in both slapcats, can you
check if any of the entries you cannot see has "glue" objectClass?

Finally: it is not clear, from your earlier messages, if you can see the
missing entries with ldapsearch.  Can you?

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497