Unfortunately replication of cn=config, even at the subtree level, is broken. An ITS has been opened requesting a fix.

Sincerely,

Jason Trupp

Symas

Pardon typos. Sent from smartphone.

-------- Original message --------

From: Miroslav Misek <miroslav.misek@netgarden.cz>

Date: 10/23/18 10:21 AM (GMT-06:00)

To: openldap-technical@openldap.org

Subject: two subtrees replication

Hi,

I am trying setup replication of two subtrees:
olcDatabase={-1}frontend,cn=config
cn=schema,cn=config

I was advised at #openldap channel to set syncrepl for whole cn=config
and restrict it by ACL at provider side.
Which looks like elegant solution to me.

I tried it, but without success. As long, as replication user does not
have access to cn=config, replication fails. And I don`t want replicate
it, because of TLS settings etc.

So I tried this:
olcAccess: {0}to dn.subtree="olcDatabase={-1}frontend,cn=config"
by dn.exact="uid=replicator,dc=ententee,dc=com" read
by * break
olcAccess: {1}to dn.subtree="cn=schema,cn=config"
by dn.exact="uid=replicator,dc=ententee,dc=com" read
by * break
olcAccess: {2}to dn.subtree="cn=config"
by dn.exact="uid=replicator,dc=ententee,dc=com" search
by * break

But it didn`t help either.

Does anyone have any advice please?

Thank you,
Miroslav Misek