Hi all,
We have a brand new ldap server that we are going to replicate with an outside replica, for an extranet purpose. During this replication, we would like to remove the "posixaccount" objectclass to only let the "inetorgperson" and "top" ones so we didn't need to put passwords or anything not needed I heard about slapo-rwm, but it seems to be buggy
Let "buggy" aside (it's not "buggy" but it may have interaction problems with slapo-syncprov(5)). Or, if you notice a bug, please submit an ITS.
I'm sure that some of you all ready have done that, maybe there is a better way.
You should use the primary mechanism syncrepl provides for this purpose: the filter, the attribute list and ACLs. You can simply hide attributes related to posixAccount in a specific set of ACLs that are only triggered by the replicator's identity. Something like
access to attrs=objectClass val=posixAccount by dn=cn=replicator none by * break
access to attrs=@posixAccount by dn=cn=replicator none by * break
Note: you may need to craft that a little bit if posixAccount also contains stuff used by other objectClasses you don't want to be filtered out.