On Thu, Apr 01, 2010 at 03:53:32PM -0700, Howard Chu wrote:
Multiple agreements with the same provider won't work, since there will only be one contextCSN sent from the master. After the first consumer runs, the second one will assume it is up to date.
Good point - I had forgotten that.
The correct solution here is to use a extended filter with dnSubtreeMatch on each desired branch.
So in this case with the tree:
dc=example,dc=com | +--o=support | +--o=location_A | +--o=location_B | +--o=location_C
the syncrepl clause on the location A slave would contain something like this:
searchbase="dc=example,dc=com" filter="(|(entrydn:dnSubtreeMatch:=o=support,dc=example,dc=com)(entrydn:dnSubtreeMatch:=o=location_A,dc=example,dc=com))
Unfortunately, when I look back at the original question I see that the slave server is physically located at location A and the security policy does not permit people at that location to see any data belonging to the other locations. Limiting the replication by this method leaves open the possibility that someone at location A might change the config to allow them to see data from location B, so the master server is still going to need ACLs to prevent that.
Andrew