COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."
So, I understand that, in syncrepl, I could do a partial replication on the slave with ACL limitation on the master.
I have tried this with delta-syncrepl (with accesslog) but it doesn't seem to work with that kind of message on the slave : slapd : syncrepl_message_to_op: rid 252 be_modify cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32)
The slave doesn't have the entry (due to ACL limitations) but see modifications on it in the accesslog base and try to synchronize the entry.
With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?
master delta-syncrepl conf :
# Accesslog database hdb suffix "cn=accesslog" rootdn "cn=accesslog"
directory "/var/lib/ldap/accesslog"
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
limits dn.regex="cn=syncuser..*,ou=foo,ou=bar,dc=my,dc=domain" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
database hdb suffix "dc=my,dc=domain" rootdn "dc=my,dc=domain"
[...] overlay syncprov syncprov-checkpoint 100 10
overlay accesslog logdb "cn=accesslog" logops writes logsuccess TRUE logpurge 07+00:00 01+00:00
slave delta-syncrepl conf :
syncrepl rid=252 provider=ldaps://ldapmaster.my.domain type=refreshAndPersist retry="60 10 300 +" searchbase="dc=my,dc=domain" filter="(objectClass=*)" scope=sub schemachecking=off updatedn="cn=replicsyncrepl,ou=foo,ou=bar,dc=my,dc=domain" bindmethod=simple binddn="cn=syncuser.slaveone,ou=foo,ou=bar,dc=my,dc=domain" credentials=<secret> logbase="cn=accesslog" syncdata=accesslog updateref ldaps://ldapmaster.my.domain
I don't see any ACL, nor a base/scope/filter restriction in your configuration. Can you please point our what is the exact issue you're seeing? Also, I note that "updatedn" is not a valid parameter of the "syncrepl" statement. You should run with -dconfig in order to track any configuration issue in your slapd.conf (OpenLDAP 2.4 would treat any misconfiguration as an error).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------