michael@stroeder.com wrote:
Full_Name: Version: 2.4.26 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.163.26.156)
It seems that attribute auditContext is replicated to consumers if there's an accesslog DB configured at the provider. IMO this does not make sense since the accesslog DB is not replicated and one might not want to load slapo-accesslog module at all in the consumer's config.
In a 2-way MMR setup with accesslog DB attached to both master providers the auditContext contains two values for auditContext and even the same one.
Since a syncrepl operation is a regular LDAP search, the provider sends everything that matches the search request. Probably we should be filtering out DSA-specific opattrs at the consumer side.
Agree. User-wise, there could be a (set of) configuration option(s) that result in a safe default filtering, while allowing "expert" users (or for experimental reasons) to replicate things arbitrarily.
Alternatives: 1) protect auditContext with ACLs at the producer's side 2) document the need to use filter="(!(objectClass=auditContext))" (or whatever is appropriate) when configuring the consumer.
p.