Ralph Rößner wrote:
Hello list,
I have noticed (as of 2.4.7) an interaction of searchAndPersist syncrepl, search filters, and access rules that looks weird to me. Before I call it a bug (and submit to ITS) I'd like to ask whether I'm not just missing the point and everything is working as intended.
So here is the situation: We replicate just part of the provider data by annotating the objects to replicate with an extra replication info attribute. Access to that attribute is restricted. Now when an object is change, we observe this: If the change is made by a user who has read access to the replication info attribute then the change is replicated. Otherwise it is not. It appears that the replication filter is evaluated using the access rights of the user making the modification, not those of the replication user.
If someone can tell me that this is not a problem because ... whatever reason then I'm interested to know. Otherwise I'll pack up configs, logs, etc. and file a bug report.
Please check after applying this patch:
diff -u -r1.215 syncprov.c --- ./servers/slapd/overlays/syncprov.c 10 Feb 2008 23:19:43 -0000 1.215 +++ ./servers/slapd/overlays/syncprov.c 7 Mar 2008 23:30:34 -0000 @@ -1209,7 +1209,7 @@ }
/* check if current o_req_dn is in scope and matches filter */ - if ( fc.fscope && test_filter( op, e, ss->s_op->ors_filter ) == + if ( fc.fscope && test_filter( ss->s_op, e, ss->s_op->ors_filter ) == LDAP_COMPARE_TRUE ) { if ( saveit ) { sm = op->o_tmpalloc( sizeof(syncmatches), op->o_tmpmemctx );
If it fixes your issue, please file an ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------