On 1/6/2012 8:54 πμ, Jeffrey Crawford wrote:
Are you saying that syncprov looks at the account that is bound and sends deletes if a record would become invisible after a modification?
I understand the opposite: syncprov will only send add/delete message based on base/scope/filter and not on ACL-visibility. So in essence Howard says that ACL-based filtering in replication does not result in proper results to consumers.
This is tricky! (I didn't know either.) It means that we should *not* design our replication based on ACL-filtering (which, unfortunately, we have done too), but, on the contrary, that we should design our DIT so that it can cover our replication needs based on consumer base/scope/filter configuration, and we should design/adapt our ACLs with the above rule in mind.
Please confirm the above thoughts.
Thanks, Nick