Hi.
I have replication setup .
Full replication of o=company, but user for replication (uid=replica,ou=users,o=company) is limited by ACL.
Master configuration:
access to dn.subtree="ou=users,o=company" attrs=userPassword
by anonymous auth
access to dn.base="o=company"
by dn.exact="uid=replica,ou=users,o=company" read
access to dn.subtree="ou=dev,o=company"
by dn.exact="uid=replica,ou=users,o=company" read
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "o=company"
rootdn "cn=ldapadm,o=company"
rootpw password
directory /var/db/openldap-data/o=company
overlay syncprov
Slave configuration:
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "o=company"
rootdn "cn=ldapadm,o=company"
rootpw password
directory /var/db/openldap-data/o=company
syncrepl rid=001
provider=ldap://ro1.devel.ldap.company.ru:389
type=refreshAndPersist
retry="5 10 300 +"
searchbase="o=company"
scope=sub
schemachecking=off
starttls=critical
bindmethod=simple
tls_reqcert=never
binddn="uid=replica,ou=users,o=company"
credentials="password"
Replication works.
When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server
e.g. operation on master server:
dn: ou=groups2,ou=dev,o=company
changetype: moddn
newrdn: ou=groups2
deleteoldrdn: 1
newsuperior: ou=corp,o=company
This object is not deleted and contextCSN is not updated on the replica.
Is it expected behavior or not?
--
Konstantin Menshikov