[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl not replicating entire tree



Hi,


... which can safely reduce to

access to attrs=userPassword,ntPassword,lmPassword
       by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
       by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
       by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
       by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
       by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
       by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
       by anonymous auth

access to *
       by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
       by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
       by * read

OK, now we see that nothing prevents from reading any object, except for
the passwords.


There is no password set for the missing entries.

My concern (and my question, which you didn't answer yet) is: can the
replication identity read the missing objects from the producer? This
involves permissions on the producer side.


Yes, the replication identity can read the missing entries from the producer.
For ex. it can read the "dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in":
[command]
$ /usr/local/openldap/bin/ldapsearch -x -b "dc=iitb,dc=ac,dc=in" -D "cn=syncuser,ou=Management,dc=iitb,dc=ac,dc=in" -W -x -h provider.iitb.ac.in:389 ou=EE
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=iitb,dc=ac,dc=in> with scope sub
# filter: ou=EE
# requesting: ALL
#


# EE, People, iitb.ac.in
dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in
ou: EE
objectClass: top
objectClass: organizationalUnit
[\command]

Should I include the bits of ACLs from my Producer ?

My other question is: since you counted the DNs in both slapcats, can you
check if any of the entries you cannot see has "glue" objectClass?


Yes, they do. Considering the same ex.: 'dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in' on my consumer has a "glue" objectClass.
[ldif]
dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in
structuralObjectClass: glue
objectClass: top
objectClass: glue
[\ldif]


But the same entry on the provider does not have a "glue" objectClass.
[ldif]
dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in
ou: EE
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 9ea7320a-ec3b-1028-8a25-eb9297806c56
creatorsName: cn=Manager,dc=iitb,dc=ac,dc=in
createTimestamp: 20041227101255Z
entryCSN: 20041227101255Z#00000a#00#000000
modifiersName: cn=Manager,dc=iitb,dc=ac,dc=in
modifyTimestamp: 20041227101255Z
[\ldif]

Finally: it is not clear, from your earlier messages, if you can see the
missing entries with ldapsearch. Can you?


Nope I cannot see them. In the above case I cannot see "dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in" but as I said
I can see the entire subtree under it.


Please let me know if I am missing out something.
--
Saket