On 2/6/2012 11:18 πμ, Nick Milas wrote:
In other words, syncprov does not produce messages based on the differences between the results of standard ldapsearch'es? And if it does not, shouldn't it?
My tests (with v2.4.31 on both provider and consumer) show that syncrepl (refreshAndPersist) works correctly when replicating based on ACL restrictions. OpenLDAP consumer deletes correctly an entry from a branch when the entry is moved to another, invisible by the consumer binddn, branch, and it re-creates it correctly when it is moved back to a visible (based on ACL) branch.
So the answer above is yes, syncprov *does* produce update messages based on the differences between the results of standard ldapsearch'es.
BUT, I had problems in the past when replicating based on ACLs: There might be scenarios - though I never had time to test exhaustively - where replication stalls (I even had some crashes) when the consumer binddn had -inadvertently- partial only privileges on some branches of the provider (probably on entry/children pseudo-attrs only). I ceased to have problems when I made sure that there existed *no* privileges *at all* on branches / entries where the consumer binddn should NOT have access (e.g. by explicitly declaring "by <consumer binddn> none").
I would like to invest some time to test such scenarios more (however, not feasible in the immediate future).
Any other info by the developers might be insightful.
Regards, Nick