----- quanah@zimbra.com wrote:
Full_Name: Quanah Gibson-Mount Version: 2.4.12 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239)
In looking at the admin guide sections on replication, I notice the following:
(a) The syncrepl configuration suggests using the rootdn on the consumer, which we advise people *not* to do.
http://www.openldap.org/doc/admin24/replication.html#Syncrepl
"The consumer uses the rootdn to write to its database so it always has full permissions to write all content."
(b) It makes no mention of using the "limits" option in slapd.conf to bypass sizelimit/timelimit restrictions on a non-rootdn user
Eh? It says no such thing Quanah?
"In this example, the consumer will connect to the provider slapd(8) at port 389 of ldap://provider.example.com to perform a polling (refreshOnly) mode of synchronization once a day. It will bind as cn=syncuser,dc=example,dc=com using simple authentication with password "secret". Note that the access control privilege of cn=syncuser,dc=example,dc=com should be set appropriately in the provider to retrieve the desired replication content. Also the search limits must be high enough on the provider to allow the syncuser to retrieve a complete copy of the requested content. The consumer uses the rootdn to write to its database so it always has full permissions to write all content."
It binds to the remote db as "cn=syncuser,dc=example,dc=com", but writes to its own db as the rootdn, as per Syncrepl.