Re: Syncrepl partial replication based on attribute problem

[Nick Milas <nick@eurobjects.com>]

On 2/6/2012 11:18 ÏÎ, Nick Milas wrote:

> In other words, syncprov does not produce messages based on the 
> differences between the results of standard ldapsearch'es? And if it 
> does not, shouldn't it?

My tests (with v2.4.31 on both provider and consumer) show that syncrepl 
(refreshAndPersist) works correctly when replicating based on ACL 
restrictions. OpenLDAP consumer deletes correctly an entry from a branch 
when the entry is moved to another, invisible by the consumer binddn, 
branch, and it re-creates it correctly when it is moved back to a 
visible (based on ACL) branch.

So the answer above is yes, syncprov *does* produce update messages 
based on the differences between the results of standard ldapsearch'es.

BUT, I had problems in the past when replicating based on ACLs: There 
might be scenarios - though I never had time to test exhaustively - 
where replication stalls (I even had some crashes) when the consumer 
binddn had -inadvertently- partial only privileges on some branches of 
the provider (probably on entry/children pseudo-attrs only). I ceased to 
have problems when I made sure that there existed *no* privileges *at 
all* on branches / entries where the consumer binddn should NOT have 
access (e.g. by explicitly declaring "by <consumer binddn> none").

I would like to invest some time to test such scenarios more (however, 
not feasible in the immediate future).

Any other info by the developers might be insightful.

Regards,
Nick