On Tue, 15 Jan 2013 13:37:06 GMT masarati@aero.polimi.it wrote
On 01/15/2013 01:56 PM, hyc@symas.com wrote:
On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote:
Full_Name: Version: RE24 6f33e2c OS: URL: Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
It seems that operational attributes generated by slapo-allowed are replicated. >
Works as designed. These attributes are directoryOperation, not DSA-specific.
I see the point; since they're generated by the overlay in response to search operations, either they should not be replicated, or replication should accept them.
Their value depends on ACLs, so in order to reflect ACLs on a specific DSA they should be generated; however, I concur ACLs should not depend on the specific DSA of a replication setup.
The values depend on local ACLs *and* current authz-DN.
=> These attributes MUST NOT be replicated.
Ciao, Michael.
-
michael@stroeder.com