[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Remove an objectclasse during syncrepl

To: "David LEROUX" <elhijo@macguff.fr>
Subject: Re: Remove an objectclasse during syncrepl
From: masarati@aero.polimi.it
Date: Sat, 4 Jul 2009 16:35:19 +0200 (CEST)
Cc: openldap-software@openldap.org
Importance: Normal
In-reply-to: <4A4E4475.40606@macguff.fr>
References: <4A4E4475.40606@macguff.fr>
User-agent: SquirrelMail/1.4.9a

> Hi all,
>
> We have a brand new ldap server that we are going to replicate with an
> outside replica, for an extranet purpose.
> During this replication, we would like to remove the "posixaccount"
> objectclass to only let the "inetorgperson" and "top" ones so we didn't
> need to put passwords or anything not needed
> I heard about slapo-rwm, but it seems to be buggy

Let "buggy" aside (it's not "buggy" but it may have interaction problems
with slapo-syncprov(5)).  Or, if you notice a bug, please submit an ITS.

> I'm sure that some of you all ready have done that, maybe there is a
> better way.

You should use the primary mechanism syncrepl provides for this purpose:
the filter, the attribute list and ACLs.  You can simply hide attributes
related to posixAccount in a specific set of ACLs that are only triggered
by the replicator's identity.  Something like

access to attrs=objectClass val=posixAccount
	by dn=cn=replicator none
        by * break

access to attrs=@posixAccount
	by dn=cn=replicator none
        by * break

Note: you may need to craft that a little bit if posixAccount also
contains stuff used by other objectClasses you don't want to be filtered
out.

p.

References:
- Remove an objectclasse during syncrepl
  - From: David LEROUX <elhijo@macguff.fr>

Prev by Date: Benchmarks?
Next by Date: Re: Benchmarks?
Index(es):
- Chronological
- Thread