[Date Prev][Date Next] [Chronological] [Thread] [Top]

delta-syncrepl and acl limitation

To: openldap-software@openldap.org
Subject: delta-syncrepl and acl limitation
From: "COMBES Julien - CETE Lyon/DI/ET/PAMELA" <julien.combes@i-carre.net>
Date: Thu, 23 Oct 2008 09:57:02 +0200
Organization: CETE Lyon/DI/ET/PAMELA

Hello

I use openldap 2.3.39.

The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."

So, I understand that, in syncrepl, I could do a partial replication on the slave with ACL limitation on the master.

I have tried this with delta-syncrepl (with accesslog) but it doesn't seem to work with that kind of message on the slave : slapd : syncrepl_message_to_op: rid 252 be_modify cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32)

The slave doesn't have the entry (due to ACL limitations) but see modifications on it in the accesslog base and try to synchronize the entry.

With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?

---------------------------------------------------------------------
master delta-syncrepl conf :

# Accesslog
database        hdb
suffix "cn=accesslog"
rootdn "cn=accesslog"

directory       "/var/lib/ldap/accesslog"

index entryCSN,objectClass,reqEnd,reqResult,reqStart eq

overlay syncprov
syncprov-nopresent      TRUE
syncprov-reloadhint     TRUE

limits dn.regex="cn=syncuser\..*,ou=foo,ou=bar,dc=my,dc=domain"
        size.soft=unlimited size.hard=unlimited
        time.soft=unlimited time.hard=unlimited

database        hdb
suffix          "dc=my,dc=domain"
rootdn          "dc=my,dc=domain"

[...]
overlay syncprov
syncprov-checkpoint 100 10


overlay accesslog
logdb "cn=accesslog"
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00

---------------------------------------------------------------------
slave delta-syncrepl conf :

syncrepl rid=252
        provider=ldaps://ldapmaster.my.domain
        type=refreshAndPersist
        retry="60 10 300 +"
        searchbase="dc=my,dc=domain"
        filter="(objectClass=*)"
        scope=sub
        schemachecking=off
        updatedn="cn=replicsyncrepl,ou=foo,ou=bar,dc=my,dc=domain"
        bindmethod=simple
        binddn="cn=syncuser.slaveone,ou=foo,ou=bar,dc=my,dc=domain"
        credentials=<secret>
        logbase="cn=accesslog"
        syncdata=accesslog
updateref       ldaps://ldapmaster.my.domain
---------------------------------------------------------------------

Regards,
Julien

Follow-Ups:
- Re: delta-syncrepl and acl limitation
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: n-way replication question
Next by Date: Re: openLDAP paged response problem
Index(es):
- Chronological
- Thread