On Tue, Jul 23, 2024 at 12:00:10PM +0200, Frédéric Goudal wrote:
Hello,
I’m trying to build a partial replication, but due to the structure of our ldap directory I’m wondering how to do :
I have an ou branch for people that I want to replicate (ou=people,<prefix>) I have an ou branch for groups that I want to replicate (ou=groups,<prefix>) I have an ou branche for sudo that I want to replicate (ou=sudo,<prefix>)
I guess that the setup for that is to replicate on <prefix> base and just filter on the objectClass
BUT… my problem is that I have another ou branch for some people (ou=otherPeople,<prefix>) that I don’t want to replicate, but that contains exactly the same objects than then ou=people,<prefix> branch, so I can not use a filter on objectClass, there is no specific attribut that allow to say if an object belongs to ou=otherPoeple ou to ou=People
I wonder what is the correct solution to achieve my goal.
I was wondering if I could put several olcSyncrepl on the database with the same provider but one for every ou that I want to replicate ?
Or is there a better way to do ?
There are three options: - what you suggest (3 syncrepl statements with different searchbases) - theoretically should work but it's not often deployed and so less tested in the wild - craft your filter accordingly (using 'entryDN:dnSubtreeMatch:=<prefix>') - use ACLs on the provider side to hide certain parts of the DIT from the consumer <- this is what I would usually do unless deltasync was needed
Regards,