Hi.
I have replication setup . Full replication of o=company, but user for replication (uid=replica,ou=users,o=company) is limited by ACL.
Master configuration:
access to dn.subtree="ou=users,o=company" attrs=userPassword by anonymous auth
access to dn.base="o=company" by dn.exact="uid=replica,ou=users,o=company" read
access to dn.subtree="ou=dev,o=company" by dn.exact="uid=replica,ou=users,o=company" read
####################################################################### # BDB database definitions #######################################################################
database hdb suffix "o=company" rootdn "cn=ldapadm,o=company" rootpw password directory /var/db/openldap-data/o=company
overlay syncprov
Slave configuration: ####################################################################### # BDB database definitions #######################################################################
database hdb suffix "o=company" rootdn "cn=ldapadm,o=company" rootpw password directory /var/db/openldap-data/o=company
syncrepl rid=001 provider=ldap://ro1.devel.ldap.company.ru:389 type=refreshAndPersist retry="5 10 300 +" searchbase="o=company" scope=sub schemachecking=off starttls=critical bindmethod=simple tls_reqcert=never binddn="uid=replica,ou=users,o=company" credentials="password"
Replication works.
When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server e.g. operation on master server:
dn: ou=groups2,ou=dev,o=company changetype: moddn newrdn: ou=groups2 deleteoldrdn: 1 newsuperior: ou=corp,o=company
This object is not deleted and contextCSN is not updated on the replica.
Is it expected behavior or not?
-- Konstantin Menshikov