[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Syncrepl partial replication based on attribute problem
On 2/6/2012 11:18 ÏÎ, Nick Milas wrote:
In other words, syncprov does not produce messages based on the
differences between the results of standard ldapsearch'es? And if it
does not, shouldn't it?
My tests (with v2.4.31 on both provider and consumer) show that syncrepl
(refreshAndPersist) works correctly when replicating based on ACL
restrictions. OpenLDAP consumer deletes correctly an entry from a branch
when the entry is moved to another, invisible by the consumer binddn,
branch, and it re-creates it correctly when it is moved back to a
visible (based on ACL) branch.
So the answer above is yes, syncprov *does* produce update messages
based on the differences between the results of standard ldapsearch'es.
BUT, I had problems in the past when replicating based on ACLs: There
might be scenarios - though I never had time to test exhaustively -
where replication stalls (I even had some crashes) when the consumer
binddn had -inadvertently- partial only privileges on some branches of
the provider (probably on entry/children pseudo-attrs only). I ceased to
have problems when I made sure that there existed *no* privileges *at
all* on branches / entries where the consumer binddn should NOT have
access (e.g. by explicitly declaring "by <consumer binddn> none").
I would like to invest some time to test such scenarios more (however,
not feasible in the immediate future).
Any other info by the developers might be insightful.
Regards,
Nick