[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: delta-syncrepl and acl limitation



Hello,

Thanks for your answers.

Le 04.11.2008 11:52, Howard Chu a écrit :
Since you're using delta-syncrepl, you have to set corresponding ACLs on the log DB in order to prevent the consumer from seeing the entries you don't want it to access.

I had tested to put ACL on log DB before asking questions on the list but I did not succeed.


To reflect on the "log DB" the ACL of the database, and due to the fact that "log DB" is a flat database with all entries matching "objectClass=auditModify" and with dn="redStart=...", I have imagined putting ACL on reqDN. I have tried ACL like this :

access to dn.subtree="cn=accesslog" filter="(reqDN=*ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain")"
by by dn="cn=sync.service1,ou=adm,ou=ressources,dc=my,dc=domain" read
by * break


access to dn.subtree="cn=accesslog"
        by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read
        by * none

But, with this ACL, an ldapsearch request on a ReqDN, which should be seen by the sync account (cn=sync.service1), return nothing, whereas the same request with "cn=adm" returned the entries (both accounts have "unlimited limits").

Is it something wrong with this ACL ? Am I on a bad way ?
Which kind of ACL can be put on log DB ?

Regards,
Julien