Unfortunately replication of cn=config, even at the subtree level, is broken. An ITS has been opened requesting a fix.

Jason Trupp 

Pardon typos. Sent from smartphone.

-------- Original message --------
From: Miroslav Misek <miroslav.misek@netgarden.cz>
Date: 10/23/18 10:21 AM (GMT-06:00)
To: openldap-technical@openldap.org
Subject: two subtrees replication


I am trying setup replication of two subtrees:

I was advised at #openldap channel to set syncrepl for whole cn=config
and restrict it by ACL at provider side.
Which looks like elegant solution to me.

I tried it, but without success. As long, as replication user does not
have access to cn=config, replication fails. And I don`t want replicate
it, because of TLS settings etc.

So I tried this:
olcAccess: {0}to dn.subtree="olcDatabase={-1}frontend,cn=config"
  by dn.exact="uid=replicator,dc=ententee,dc=com" read
  by * break
olcAccess: {1}to dn.subtree="cn=schema,cn=config"
  by dn.exact="uid=replicator,dc=ententee,dc=com" read
  by * break
olcAccess: {2}to dn.subtree="cn=config"
  by dn.exact="uid=replicator,dc=ententee,dc=com" search
  by * break

But it didn`t help either.

Does anyone have any advice please?

Thank you,
Miroslav Misek