[Note: The previous patch did not fix the problem when the consumer's access was restricted to the replicated subtree. This patch fixes that.]

Perform the internal FIND_CSN search based at the backend's suffix with the privileges of the backend's root DN. --- servers/slapd/overlays/syncprov.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c index 0c148f9..a058e19 100644 --- a/servers/slapd/overlays/syncprov.c +++ b/servers/slapd/overlays/syncprov.c @@ -661,6 +661,8 @@ again: if ( BER_BVISEMPTY( &cf.f_av_value )) { cf.f_av_value = *csn; } + fop.o_dn = op->o_bd->be_rootdn; + fop.o_ndn = op->o_bd->be_rootndn; fop.o_req_dn = op->o_bd->be_suffix[0]; fop.o_req_ndn = op->o_bd->be_nsuffix[0]; /* Look for exact match the first time */