On Nov 3, 2018, at 01:23, Manuela Mandache manuela.mandache.mm@gmail.com wrote:
What you want then is selective replication of a multivalued attribute. AFAIK, this can't be done in your olcSyncrepl directive, you need to use ACLs on your provider to restrict your replication account's access. If you don't want to check how this interferes with your other ACL rules, it would be something like that: olcAccess: to dn.subtree=<your branch> attrs=objectClass val.exact=uvmEduPII by dn.exact=<your replication account> none by * break early enough in the ACL list to be evaluated before any other rule concerning the targeted entries. Either you define one of these rules for each of your four objectClass values, or you change val.exact=... to val.regex=<regex identifying exactly what you want> (guess there is some performance difference, evaluating regex is usually rather expensive).
I actually tried something like that some time ago, with slurpd replication, and it did not work properly when the multivalued attribute was modified on the provider, I don't know how syncrepl manages it. Also, your restriction concerns a schema attribute, there might be dependencies forbidding this - your excluded objectClasses must be AUXILIARY to start with.
Cheers,
Manuela
It actually turns out that it is best to leave the objectClass values there (I've discovered I have customers who are using the presence of the objectClass value as an indicator of eligibility for some service).
- Frank