rein@OpenLDAP.org wrote:

Full_Name: Rein Tollevik Version: CVS head OS: linux, solaris URL: Submission from: (NULL) (84.215.36.97) Submitted by: rein

syncrepl_updateCookie() doesn't initialize mod.sml_flags, which means that the contextCSN modification is done with a random value. Which again can cause the modify to fail if syncrepl is used on a subordinate DB with another rootdn than what the glue DB has.

As documented, glued DBs must all have the same rootDN. Any other configuration is a user error.

syncprov_checkpoint() has a similar problem, it initializes mod.sml_flags to 0. When a checkpoint occur the modify operation is run with the privileges of what might be in op->o_ndn. Checkpoint when the database is closed always works though, as op->o_ndn is always set to the rootdn when that is done.

I'll commit a fix that sets mod.sml_flags to SLAP_MOD_INTERNAL shortly, so that access control rules are bypassed.

Rein Tollevik Basefarm AS