Hello,
Thanks for your answers.
Le 04.11.2008 11:52, Howard Chu a écrit :
Since you're using delta-syncrepl, you have to set corresponding ACLs on the log DB in order to prevent the consumer from seeing the entries you don't want it to access.
I had tested to put ACL on log DB before asking questions on the list but I did not succeed.
To reflect on the "log DB" the ACL of the database, and due to the fact that "log DB" is a flat database with all entries matching "objectClass=auditModify" and with dn="redStart=...", I have imagined putting ACL on reqDN. I have tried ACL like this :
access to dn.subtree="cn=accesslog" filter="(reqDN=*ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain")" by by dn="cn=sync.service1,ou=adm,ou=ressources,dc=my,dc=domain" read by * break
access to dn.subtree="cn=accesslog" by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read by * none
But, with this ACL, an ldapsearch request on a ReqDN, which should be seen by the sync account (cn=sync.service1), return nothing, whereas the same request with "cn=adm" returned the entries (both accounts have "unlimited limits").
Is it something wrong with this ACL ? Am I on a bad way ? Which kind of ACL can be put on log DB ?
Regards, Julien