Re: delta-syncrepl and acl limitation

["COMBES Julien - CETE Lyon/DI/ET/PAMELA" <julien.combes@i-carre.net>]

Hello,

Thanks for your answers.

Le 04.11.2008 11:52, Howard Chu a écrit  :
> Since you're using delta-syncrepl, you have to set corresponding ACLs on 
> the log DB in order to prevent the consumer from seeing the entries you 
> don't want it to access.

I had tested to put ACL on log DB before asking questions on the list 
but I did not succeed.

To reflect on the "log DB" the ACL of the database, and due to the fact 
that "log DB" is a flat database with all entries matching 
"objectClass=auditModify" and with dn="redStart=...", I have imagined 
putting ACL on reqDN. I have tried ACL like this :

access to dn.subtree="cn=accesslog" 
filter="(reqDN=*ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain")"
        by by 
dn="cn=sync.service1,ou=adm,ou=ressources,dc=my,dc=domain" read
        by * break

access to dn.subtree="cn=accesslog"
        by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read
        by * none

But, with this ACL, an ldapsearch request on a ReqDN, which should be 
seen by the sync account (cn=sync.service1), return nothing, whereas the 
same request with "cn=adm" returned the entries (both accounts have 
"unlimited limits").

Is it something wrong with this ACL ? Am I on a bad way ?
Which kind of ACL can be put on log DB ?

Regards,
Julien