Re: Syncrepl not replicating entire tree

[Saket Sathe <saket@cc.iitb.ac.in>]

Hi,

> ... which can safely reduce to
>
> access to attrs=userPassword,ntPassword,lmPassword
>        by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
>        by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
>        by dn.exact="cn=courier,ou=people,dc=iitb,dc=ac,dc=in" read
>        by dn.exact="cn=sambaproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>        by dn.exact="cn=ftproxy,ou=people,dc=iitb,dc=ac,dc=in" read
>        by dn.exact="cn=qmail,ou=People,dc=iitb,dc=ac,dc=in" read
>        by anonymous auth
>
> access to *
>        by dn="cn=Replicator,dc=iitb,dc=ac,dc=in" write
>        by dn="cn=Manager,dc=iitb,dc=ac,dc=in" write
>        by * read
>
> OK, now we see that nothing prevents from reading any object, except for
> the passwords.
>  
There is no password set for the missing entries.

> My concern (and my question, which you didn't answer yet) is: can the
> replication identity read the missing objects from the producer?  This
> involves permissions on the producer side.
>  
Yes, the replication identity can read the missing entries from the 
producer.
For ex. it can read the "dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in":
[command]
$ /usr/local/openldap/bin/ldapsearch -x -b "dc=iitb,dc=ac,dc=in" -D 
"cn=syncuser,ou=Management,dc=iitb,dc=ac,dc=in" -W -x -h 
provider.iitb.ac.in:389 ou=EE
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=iitb,dc=ac,dc=in> with scope sub
# filter: ou=EE
# requesting: ALL
#

# EE, People, iitb.ac.in
dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in
ou: EE
objectClass: top
objectClass: organizationalUnit
[\command]

Should I include the bits of ACLs from my Producer ?

> My other question is: since you counted the DNs in both slapcats, can you
> check if any of the entries you cannot see has "glue" objectClass?
>  
Yes, they do. Considering the same ex.:  'dn: 
ou=EE,ou=People,dc=iitb,dc=ac,dc=in' on my consumer has a "glue" 
objectClass.
[ldif]
dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in
structuralObjectClass: glue
objectClass: top
objectClass: glue
[\ldif]

But the same entry on the provider does not have a "glue" objectClass.
[ldif]
dn: ou=EE,ou=People,dc=iitb,dc=ac,dc=in
ou: EE
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 9ea7320a-ec3b-1028-8a25-eb9297806c56
creatorsName: cn=Manager,dc=iitb,dc=ac,dc=in
createTimestamp: 20041227101255Z
entryCSN: 20041227101255Z#00000a#00#000000
modifiersName: cn=Manager,dc=iitb,dc=ac,dc=in
modifyTimestamp: 20041227101255Z
[\ldif]

> Finally: it is not clear, from your earlier messages, if you can see the
> missing entries with ldapsearch.  Can you?
>  
Nope I  cannot see them.  In the above case I cannot see "dn: 
ou=EE,ou=People,dc=iitb,dc=ac,dc=in" but as I said
I can see the entire subtree under it.

Please let me know if I am missing out something.
--
Saket