Hello
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."
So, I understand that, in syncrepl, I could do a partial replication on the slave with ACL limitation on the master.
I have tried this with delta-syncrepl (with accesslog) but it doesn't seem to work with that kind of message on the slave : slapd : syncrepl_message_to_op: rid 252 be_modify cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32)
The slave doesn't have the entry (due to ACL limitations) but see modifications on it in the accesslog base and try to synchronize the entry.
With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?
--------------------------------------------------------------------- master delta-syncrepl conf :
# Accesslog database hdb suffix "cn=accesslog" rootdn "cn=accesslog"
directory "/var/lib/ldap/accesslog"
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
limits dn.regex="cn=syncuser..*,ou=foo,ou=bar,dc=my,dc=domain" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
database hdb suffix "dc=my,dc=domain" rootdn "dc=my,dc=domain"
[...] overlay syncprov syncprov-checkpoint 100 10
overlay accesslog logdb "cn=accesslog" logops writes logsuccess TRUE logpurge 07+00:00 01+00:00
--------------------------------------------------------------------- slave delta-syncrepl conf :
syncrepl rid=252 provider=ldaps://ldapmaster.my.domain type=refreshAndPersist retry="60 10 300 +" searchbase="dc=my,dc=domain" filter="(objectClass=*)" scope=sub schemachecking=off updatedn="cn=replicsyncrepl,ou=foo,ou=bar,dc=my,dc=domain" bindmethod=simple binddn="cn=syncuser.slaveone,ou=foo,ou=bar,dc=my,dc=domain" credentials=<secret> logbase="cn=accesslog" syncdata=accesslog updateref ldaps://ldapmaster.my.domain ---------------------------------------------------------------------
Regards, Julien
COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."
So, I understand that, in syncrepl, I could do a partial replication on the slave with ACL limitation on the master.
I have tried this with delta-syncrepl (with accesslog) but it doesn't seem to work with that kind of message on the slave : slapd : syncrepl_message_to_op: rid 252 be_modify cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32)
The slave doesn't have the entry (due to ACL limitations) but see modifications on it in the accesslog base and try to synchronize the entry.
With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?
master delta-syncrepl conf :
# Accesslog database hdb suffix "cn=accesslog" rootdn "cn=accesslog"
directory "/var/lib/ldap/accesslog"
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
limits dn.regex="cn=syncuser..*,ou=foo,ou=bar,dc=my,dc=domain" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
database hdb suffix "dc=my,dc=domain" rootdn "dc=my,dc=domain"
[...] overlay syncprov syncprov-checkpoint 100 10
overlay accesslog logdb "cn=accesslog" logops writes logsuccess TRUE logpurge 07+00:00 01+00:00
slave delta-syncrepl conf :
syncrepl rid=252 provider=ldaps://ldapmaster.my.domain type=refreshAndPersist retry="60 10 300 +" searchbase="dc=my,dc=domain" filter="(objectClass=*)" scope=sub schemachecking=off updatedn="cn=replicsyncrepl,ou=foo,ou=bar,dc=my,dc=domain" bindmethod=simple binddn="cn=syncuser.slaveone,ou=foo,ou=bar,dc=my,dc=domain" credentials=<secret> logbase="cn=accesslog" syncdata=accesslog updateref ldaps://ldapmaster.my.domain
I don't see any ACL, nor a base/scope/filter restriction in your configuration. Can you please point our what is the exact issue you're seeing? Also, I note that "updatedn" is not a valid parameter of the "syncrepl" statement. You should run with -dconfig in order to track any configuration issue in your slapd.conf (OpenLDAP 2.4 would treat any misconfiguration as an error).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Hello,
Le 23.10.2008 17:00, > Pierangelo Masarati (par Internet) a écrit :
COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."
[...]
With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?
I don't see any ACL, nor a base/scope/filter restriction in your configuration. Can you please point our what is the exact issue you're seeing?
I come back with a simplified version of my ACL for which I have also the problem. With This ACL and with delta-syncrepl : - when I start the slave with an empty base, all work fine : just entries readable on the master are replicated. - when I modify an entry on the master which is not readable by the slave, I have the following message on the slave : Nov 3 11:31:17 ldapdist23-ida01 slapd[27784]: syncrepl_message_to_op: rid 001 be_modify uid=hercule.butto,ou=ser3,ou=ser2,ou=ser1,ou=ser,ou=foo,ou=organisation,dc=my,dc=domain (32)
------------------------------------------------------------------------ ACL on the master :
access to dn.subtree="cn=monitor" by peername.ip=127.0.0.1 read by * none
access to dn.subtree="cn=accesslog" by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read by dn.regex="cn=sync..*,ou=adm,ou=ressources,dc=my,dc=domain" read by dn.regex="cn=sync..*,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" read by * none
access to dn.base="" by * read
access to dn.sub="ou=Test-P1,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to dn.sub="ou=P2,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to dn.sub="ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to dn.sub="ou=OH,ou=foo,ou=organisation,dc=my,dc=domain" filter="(|(cn=*P2*)(cn=*Test-P1*))" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to * by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 none by * break
access to attrs=userPassword by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write by anonymous auth by self write by * none
access to * by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write by * read ------------------------------------------------------------------------ ACL on the slave :
access to attrs=userPassword by anonymous auth by self write by * none
access to * by * read ------------------------------------------------------------------------
Also, I note that "updatedn" is not a valid parameter of the "syncrepl" statement.
Ok, Thanks. I have corrected that.
Regards, Julien
COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
Hello,
Le 23.10.2008 17:00,> Pierangelo Masarati (par Internet) a écrit :
COMBES Julien - CETE Lyon/DI/ET/PAMELA wrote:
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection."
[...]
With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ?
I don't see any ACL, nor a base/scope/filter restriction in your configuration. Can you please point our what is the exact issue you're seeing?
I come back with a simplified version of my ACL for which I have also the problem. With This ACL and with delta-syncrepl :
- when I start the slave with an empty base, all work fine : just
entries readable on the master are replicated.
- when I modify an entry on the master which is not readable by the
slave, I have the following message on the slave : Nov 3 11:31:17 ldapdist23-ida01 slapd[27784]: syncrepl_message_to_op: rid 001 be_modify uid=hercule.butto,ou=ser3,ou=ser2,ou=ser1,ou=ser,ou=foo,ou=organisation,dc=my,dc=domain (32)
ACL on the master :
access to dn.subtree="cn=monitor" by peername.ip=127.0.0.1 read by * none
access to dn.subtree="cn=accesslog" by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read by dn.regex="cn=sync..*,ou=adm,ou=ressources,dc=my,dc=domain" read by dn.regex="cn=sync..*,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" read by * none
access to dn.base="" by * read
access to dn.sub="ou=Test-P1,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to dn.sub="ou=P2,ou=TF,ou=foo,ou=organisation,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to dn.sub="ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to dn.sub="ou=OH,ou=foo,ou=organisation,dc=my,dc=domain" filter="(|(cn=*P2*)(cn=*Test-P1*))" by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 read by * break
access to * by dn.exact="cn=sync.service1,ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain" peername.ip=192.168.251.207 none by * break
access to attrs=userPassword by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write by anonymous auth by self write by * none
access to * by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" write by * read
Since you're using delta-syncrepl, you have to set corresponding ACLs on the log DB in order to prevent the consumer from seeing the entries you don't want it to access.
Hello,
Thanks for your answers.
Le 04.11.2008 11:52, Howard Chu a écrit :
Since you're using delta-syncrepl, you have to set corresponding ACLs on the log DB in order to prevent the consumer from seeing the entries you don't want it to access.
I had tested to put ACL on log DB before asking questions on the list but I did not succeed.
To reflect on the "log DB" the ACL of the database, and due to the fact that "log DB" is a flat database with all entries matching "objectClass=auditModify" and with dn="redStart=...", I have imagined putting ACL on reqDN. I have tried ACL like this :
access to dn.subtree="cn=accesslog" filter="(reqDN=*ou=P1,ou=domaines,ou=appdom,ou=bar,ou=ressources,dc=my,dc=domain")" by by dn="cn=sync.service1,ou=adm,ou=ressources,dc=my,dc=domain" read by * break
access to dn.subtree="cn=accesslog" by dn="cn=adm,ou=adm,ou=ressources,dc=my,dc=domain" read by * none
But, with this ACL, an ldapsearch request on a ReqDN, which should be seen by the sync account (cn=sync.service1), return nothing, whereas the same request with "cn=adm" returned the entries (both accounts have "unlimited limits").
Is it something wrong with this ACL ? Am I on a bad way ? Which kind of ACL can be put on log DB ?
Regards, Julien
openldap-software@openldap.org
-
COMBES Julien - CETE Lyon/DI/ET/PAMELA -
Howard Chu -
Pierangelo Masarati