Re: Syncrepl partial replication based on attribute problem

[Nick Milas <nick@eurobjects.com>]

On 1/6/2012 4:38 ÏÎ, Howard Chu wrote:

> Visibility changes due to ACL rules are not detected. syncprov only 
> checks an entry against the search parameters of the original sync 
> search operation, i.e., the base, scope, and filter. If an entry 
> matches these params before the modification, and no longer matches 
> after the operation, syncprov will send a delete message for that 
> entry. (Likewise if an entry doesn't match before, but matches after, 
> syncprov will send an Add for the entry.) 

I would like a clarification on this, please:

Since the syncprov mechanism does a search based on base/scope/filter 
from *a particular binddn* account, doesn't this mean that if visibility 
*by that same binddn* of some entry (due to ACL restrictions) changes 
after a modification, then effectively the same search (based on the 
same base/scope/filter) will produce different results, which means that 
the syncprov mechanism *should* generate an add/delete message accordingly?

In other words, syncprov does not produce messages based on the 
differences between the results of standard ldapsearch'es? And if it 
does not, shouldn't it?

Why syncprov should ignore ACL-based visibility? This seems unnatural 
and does not assist conceptualization. At least it seems confusing to 
me. Can you please provide more details on the syncprov mechanism with 
regard to this?

Please advise!

Thanks,
Nick