I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap
2.3 and 17.2.1 for 2.4) :
"Syncrepl supports both partial and sparse replications. The shadow DIT
fragment is defined by a general search criteria consisting of base,
scope, filter, and attribute list. The replica content is also subject
to the access privileges of the bind identity of the syncrepl
replication connection."
So, I understand that, in syncrepl, I could do a partial replication on
the slave with ACL limitation on the master.
I have tried this with delta-syncrepl (with accesslog) but it doesn't
seem to work with that kind of message on the slave :
slapd : syncrepl_message_to_op: rid 252 be_modify
cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32)
The slave doesn't have the entry (due to ACL limitations) but see
modifications on it in the accesslog base and try to synchronize the entry.
With delta-syncrepl, is it possible to do partial replication on slave
with ACL limitation on master ?
---------------------------------------------------------------------
master delta-syncrepl conf :
# Accesslog
database hdb
suffix "cn=accesslog"
rootdn "cn=accesslog"
directory "/var/lib/ldap/accesslog"
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
limits dn.regex="cn=syncuser\..*,ou=foo,ou=bar,dc=my,dc=domain"
size.soft=unlimited size.hard=unlimited
time.soft=unlimited time.hard=unlimited
database hdb
suffix "dc=my,dc=domain"
rootdn "dc=my,dc=domain"
[...]
overlay syncprov
syncprov-checkpoint 100 10
overlay accesslog
logdb "cn=accesslog"
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
---------------------------------------------------------------------
slave delta-syncrepl conf :
syncrepl rid=252
provider=ldaps://ldapmaster.my.domain
type=refreshAndPersist
retry="60 10 300 +"
searchbase="dc=my,dc=domain"
filter="(objectClass=*)"
scope=sub
schemachecking=off
updatedn="cn=replicsyncrepl,ou=foo,ou=bar,dc=my,dc=domain"
bindmethod=simple
binddn="cn=syncuser.slaveone,ou=foo,ou=bar,dc=my,dc=domain"
credentials=<secret>
logbase="cn=accesslog"
syncdata=accesslog
updateref ldaps://ldapmaster.my.domain
---------------------------------------------------------------------