Hi,
On Mon, 24 Mar 2014, Howard Chu wrote:
Christian Kratzer wrote:
Hi,
On Mon, 24 Mar 2014, Ulrich Windl wrote:
Hi!
Stupid question: If syn is based on entryUUID and entryCSN and objects are transferred in transactions, how can an obsolete or incomplete object exist on a server that is to be synced?
if for example the acl on the provider does not show you all attributes because the acl is based on data not yet synced than the provider will give the consumer incomplete objects.
That makes no sense, since ACLs on the provider aren't dependent on data from any other server. I.e., whether the data is synced or not on a particular consumer won't change the evaluation of ACLs on the provider.
In my situation the provider itself is still syncing up and the acl is dependent on the full DIT being in place.
Hm... Unless of course, your ACLs depend on entries living in a back-ldap instance that points at a particular consumer. That would be quite bizarre.
I have following:
olcLimits: group/groupOfNames/member="cn=replicators,ou=serviceaccounts,dc=cksoft,dc=net" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
olcAccess: to * by group/groupOfNames/member="cn=replicators,ou=serviceaccounts,dc=cksoft,dc=net" read
and following group in the DIT with the mapped sasl identities of the servers:
dn: cn=replicators,ou=ServiceAccounts,dc=cksoft,dc=net objectClass: groupOfNames cn: replicators member: cn=ldap1.cksoft.de,ou=ServiceAccounts,dc=cksoft,dc=net member: cn=ldap2.cksoft.de,ou=ServiceAccounts,dc=cksoft,dc=net ... ... ...
The situation I am getting at is: 1. provider A has the data 1. consumer B is empty and starts to sync up from provider A 2. consumer C is empty and starts up to sync from B. 3. Above group will is not yet be populated on B as it is still empty. 4. B will not apply above olcLimit clause to the connection C is on 5. B will not show all entries or all attributes to C as the acl will not match
I can see above happening quite easily in a 3 or 4 server multimaster cluster when one of them is beeing resynced.
Denying client connections in the initial sync phase is the trivial fix that will enforce consistency.
Greetings Christian