What we've decided to do is to back out of the TLS and get Syncrepl/MMR working then implement TLS.
Going to keep sharp objects away from my wrists.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Friday, January 31, 2014 2:41 PM To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org Subject: Re: Syncrepl and mmr
Borresen, John - 0442 - MITLL wrote:
I'm not trying to implement partial replication.
Missed the smiley?
Your *first* ACL should give read access to the whole tree to the group of replicas and then pass on all other access checking to the subsequent ACLs (by * break).
Something like:
limits group="cn=replicas,dc=example,dc=com" time=unlimited size=unlimited
access to dn.subtree="ou=ampua" by group="cn=replicas,dc=example,dc=com" read by * break
Ciao, Michael.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Friday, January 31, 2014 2:15 PM To: Quanah Gibson-Mount; Borresen, John - 0442 - MITLL; openldap-technical@openldap.org Subject: Re: Syncrepl and mmr
Quanah Gibson-Mount wrote:
--On Friday, January 31, 2014 1:20 PM -0500 "Borresen, John - 0442 - MITLL" John.Borresen@ll.mit.edu wrote:
Thanks, Quanah
Not sure what you meant by " Well, it may not have been this issue, but it definite would become an issue then."
Was what I did a good thing or not? Curious minds want to know. <lol>
The lack of read permissions for the replication user would absolutely be an issue at some point. ;)
To put it the other way round: It's very hard to implement partial replication correctly. ;-}
Ciao, Michael.