Jeffrey Crawford wrote:
Hello,
I had thought I tested this beforehand but I seem to be able to reliably reproduce the following situation:
We have an installation where the provider server has information that is replicated to downstream replicas using the syncrepl protocol. The account used to replicate is allowed to see records where certain attributes meet specific values, a silly example is an attribute is set
dn: uid=somerecord,ou=people,dc=ucsc,dc=edu replicateMe: TRUE ...
When an account has that attribute set it then replicates to the downstream replica, however if later we set replicateMe to FALSE so that the account used for replication can no longer see the entry, it seems to be orphaned and is not removed in the replica.
We are using OpenLDAP 2.4.26 and I have the syncprov sessionlog set to 500 and the replica is set to refreshAndPersist.
Is this something that is simply not supported? or would a case like this be expected to work and I've either got a configuration issue or a bug?
Visibility changes due to ACL rules are not detected. syncprov only checks an entry against the search parameters of the original sync search operation, i.e., the base, scope, and filter. If an entry matches these params before the modification, and no longer matches after the operation, syncprov will send a delete message for that entry. (Likewise if an entry doesn't match before, but matches after, syncprov will send an Add for the entry.)