On 25/5/2012 4:56 μμ, Konstantin Menshikov wrote:
When i move object in forbidden by ACL subtree, then no information
about this modification goes to the replica server
I don't know if you have followed a recent thread, but according to
(quote) "Visibility changes due to ACL rules are not detected. syncprov
only checks an entry against the search parameters of the original sync
search operation, i.e., the base, scope, and filter. If an entry matches
these params before the modification, and no longer matches after the
operation, syncprov will send a delete message for that entry. (Likewise
if an entry doesn't match before, but matches after, syncprov will send
an Add for the entry.)"
So, based on this, the behavior you see is expected.
And another quote (by me):
"So in essence Howard says that ACL-based filtering in replication does
not result in proper results to consumers.
This is tricky! (I didn't know either.) It means that we should *not*
design our replication based on ACL-filtering (which, unfortunately, we
have done too), but, on the contrary, that we should design our DIT so
that it can cover our replication needs based on consumer
base/scope/filter configuration, and we should design/adapt our ACLs
with the above rule in mind. "
I thought of your case when I followed this thread, and I thought I
should send you a notice.