Hello OpenLDAP-software :)!
I have a working syncrepl replication and even managed to do fractional replication (only a subset of attributes are replicated). The list of attributes that should be replicated is defined via ACL on the provider, like this:
access to dn.subtree="ou=users,dc=org,dc=test,dc=si" attrs=entry,top,person,organizationalPerson,inetOrgPerson,eduPerson,schacContactLocation,schacEmployeeInfo,schacEntryConfidentiality,schacEntryMetadata,schacLinkageIdentifiers,schacPersonalCharacteristics,schacUserEntitlements by dn="cn=rep1,ou=replicators,dc=org,dc=test,dc=si" read by anonymous auth
Consumer configuration looks like this:
syncrepl rid=111 provider="ldap://master" type=refreshAndPersist retry="10 +" searchbase="ou=users,dc=org,dc=test,dc=si" bindmethod=simple binddn="cn=rep1,ou=replicators,dc=org,dc=test,dc=si" credentials="xxx" schemachecking=off
=============================================================== Everything is working fine, however the problem is that provider is using some additional schema with attributes, which are of no interest to the consumer. The unwanted attributes are filtered out via provider ACL, however the data from the provider contains an additional objectClass with a custom schema name. Becouse consumer doesn't have this schema it denies replication with an error message: ... slapd[15143]: syncrepl_message_to_entry: mods check (objectClass: value #0 invalid per syntax)
Which is logical... the entry has an unknown objectClass.
Is it possible to somehow also filter out the unwanted "objectClass: unknownLocalStuff" ?
I tried googling for the fractional replication but it seems to be an obscure topic. The OpenLDAP admin manual doesn't mention it so any help is welcome :).
Rok Papez wrote:
Hello OpenLDAP-software :)!
I have a working syncrepl replication and even managed to do fractional replication (only a subset of attributes are replicated). The list of attributes that should be replicated is defined via ACL on the provider, like this:
Since you're using ACLs to control things, you should be able to just use a value-specific ACL. There may still be issues with that in 2.3, it definitely works in 2.4:
access to attrs=objectclass val=unknownLocalStuff by dn.exact="cn=rep1,ou=replicators,dc=org,dc=test,dc=si" none break
access to dn.subtree="ou=users,dc=org,dc=test,dc=si" attrs=entry,top,person,organizationalPerson,inetOrgPerson,eduPerson,schacContactLocation,schacEmployeeInfo,schacEntryConfidentiality,schacEntryMetadata,schacLinkageIdentifiers,schacPersonalCharacteristics,schacUserEntitlements by dn="cn=rep1,ou=replicators,dc=org,dc=test,dc=si" read by anonymous auth
Consumer configuration looks like this:
syncrepl rid=111 provider="ldap://master" type=refreshAndPersist retry="10 +" searchbase="ou=users,dc=org,dc=test,dc=si" bindmethod=simple binddn="cn=rep1,ou=replicators,dc=org,dc=test,dc=si" credentials="xxx" schemachecking=off
=============================================================== Everything is working fine, however the problem is that provider is using some additional schema with attributes, which are of no interest to the consumer. The unwanted attributes are filtered out via provider ACL, however the data from the provider contains an additional objectClass with a custom schema name. Becouse consumer doesn't have this schema it denies replication with an error message: ... slapd[15143]: syncrepl_message_to_entry: mods check (objectClass: value #0 invalid per syntax)
Which is logical... the entry has an unknown objectClass.
Is it possible to somehow also filter out the unwanted "objectClass: unknownLocalStuff" ?
I tried googling for the fractional replication but it seems to be an obscure topic. The OpenLDAP admin manual doesn't mention it so any help is welcome :).
openldap-software@openldap.org