On 1/6/2012 4:38 πμ, Howard Chu wrote:
Visibility changes due to ACL rules are not detected. syncprov only checks an entry against the search parameters of the original sync search operation, i.e., the base, scope, and filter. If an entry matches these params before the modification, and no longer matches after the operation, syncprov will send a delete message for that entry. (Likewise if an entry doesn't match before, but matches after, syncprov will send an Add for the entry.)
I would like a clarification on this, please:
Since the syncprov mechanism does a search based on base/scope/filter from *a particular binddn* account, doesn't this mean that if visibility *by that same binddn* of some entry (due to ACL restrictions) changes after a modification, then effectively the same search (based on the same base/scope/filter) will produce different results, which means that the syncprov mechanism *should* generate an add/delete message accordingly?
In other words, syncprov does not produce messages based on the differences between the results of standard ldapsearch'es? And if it does not, shouldn't it?
Why syncprov should ignore ACL-based visibility? This seems unnatural and does not assist conceptualization. At least it seems confusing to me. Can you please provide more details on the syncprov mechanism with regard to this?
Please advise!
Thanks, Nick