Re: delta-syncrepl and acl limitation

Hello, Le 23.10.2008 17:00,> Pierangelo Masarati (par Internet) a écrit : > COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote: > >> I use openldap 2.3.39. >> >> The Openldap admin guide indicates that (in chapter 15 for the >> openldap 2.3 and 17.2.1 for 2.4) : >> "Syncrepl supports both partial and sparse replications. The shadow >> DIT fragment is defined by a general search criteria consisting of >> base, scope, filter, and attribute list. The replica content is also >> subject to the access privileges of the bind identity of the syncrepl >> replication connection." [...] >> With delta-syncrepl, is it possible to do partial replication on slave >> with ACL limitation on master ? > I don't see any ACL, nor a base/scope/filter restriction in your > configuration. Can you please point our what is the exact issue you're > seeing? I come back with a simplified version of my ACL for which I have also the problem. With This ACL and with delta-syncrepl : - when I start the slave with an empty base, all work fine : just entries readable on the master are replicated. - when I modify an entry on the master which is not readable by the slave, I have the following message on the slave : Nov 3 11:31:17 ldapdist23-ida01 slapd[27784]: syncrepl_message_to_op: rid 001 be_modify uid=hercule.butto,ou=ser3,ou=ser2,ou=ser1,ou=ser,ou=foo,ou=organisation,dc=my,dc=domain (32) ------------------------------------------------------------------------ ACL on the master : access to dn.subtree="cn=monitor" by peername.ip=127.0.0.1 read by * none access to dn.subtree="cn=accesslog" by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read by dn.regex="cn=sync\..*,ou=adm,ou=ressources,dc=my,dc=domain" read by dn.regex="cn=sync\..*,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" read by * none access to dn.base="" by * read access to dn.sub="ou=Test-P1,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break access to dn.sub="ou=P2,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break access to dn.sub="ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break access to dn.sub="ou=OH,ou=foo,ou=organisation,dc=my,dc=domain" filter="(|(cn=*P2*)(cn=*Test-P1*))" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break access to * by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 none by * break access to attrs=userPassword by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write by anonymous auth by self write by * none access to * by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write by * read ------------------------------------------------------------------------