[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: delta-syncrepl and acl limitation
Hello,
Thanks for your answers.
Le 04.11.2008 11:52, Howard Chu a écrit :
Since you're using delta-syncrepl, you have to set corresponding ACLs on
the log DB in order to prevent the consumer from seeing the entries you
don't want it to access.
I had tested to put ACL on log DB before asking questions on the list
but I did not succeed.
To reflect on the "log DB" the ACL of the database, and due to the fact
that "log DB" is a flat database with all entries matching
"objectClass=auditModify" and with dn="redStart=...", I have imagined
putting ACL on reqDN. I have tried ACL like this :
access to dn.subtree="cn=accesslog"
filter="(reqDN=*ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain")"
by by
dn="cn=sync.service1,ou=adm,ou=ressources,dc=my,dc=domain" read
by * break
access to dn.subtree="cn=accesslog"
by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read
by * none
But, with this ACL, an ldapsearch request on a ReqDN, which should be
seen by the sync account (cn=sync.service1), return nothing, whereas the
same request with "cn=adm" returned the entries (both accounts have
"unlimited limits").
Is it something wrong with this ACL ? Am I on a bad way ?
Which kind of ACL can be put on log DB ?
Regards,
Julien