Hi, we want entries to be replicated to a public slave, only if they have an attribute worldreadable=TRUE.
So I've setup an ACL on the master which basically is like access to * filter=(worldreadable=FALSE) by * none access to * by * read Thus, the consumer only sees entries it is allowed to replicate.
Now if an entry's worldreadable attribute is changed from TRUE to false, this modification will not propagate to the consumer and the entry stays visible. However, with refreshOnly this 'lost' entry is detected and removed (syncrepl_del_nonpresent).
--On Tuesday, October 24, 2006 5:00 PM +0200 Norbert Klasen norbert@burgundy.dyndns.org wrote:
Hi, we want entries to be replicated to a public slave, only if they have an attribute worldreadable=TRUE.
So I've setup an ACL on the master which basically is like access to * filter=(worldreadable=FALSE) by * none access to * by * read Thus, the consumer only sees entries it is allowed to replicate.
Wouldn't it be a lot easier to have that acl on your replica, so that any one binding can read it when it is true, and no one can read it when it is false? Then you can replicate it all you want, but you don't have to play games with the replication process.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Norbert Klasen wrote:
Hi, we want entries to be replicated to a public slave, only if they have an attribute worldreadable=TRUE.
So I've setup an ACL on the master which basically is like access to * filter=(worldreadable=FALSE) by * none access to * by * read Thus, the consumer only sees entries it is allowed to replicate.
Now if an entry's worldreadable attribute is changed from TRUE to false, this modification will not propagate to the consumer and the entry stays visible. However, with refreshOnly this 'lost' entry is detected and removed (syncrepl_del_nonpresent).
You should include the filter in your consumer's search spec in order to get these changes propagated immediately.
openldap-software@openldap.org
-
Howard Chu -
Norbert Klasen -
Quanah Gibson-Mount