On 05/29/2012 07:25 PM, Nick Milas wrote:
On 29/5/2012 9:01 Ïμ, Konstantin Menshikov wrote:
somebody? anybody?
I would say: if you can use test servers with 2.4.31 and BDB >= 4.6.21, then you could try to reproduce by doing some experiments (moving to branch visible by consumer binddn, moving to branch not visible by consumer) and report results with excerpts from the logs.
Nick
Hi. I try use openldap-server-2.4.31 and db47-4.7.25.4 on FreeBSD 8.2-RELEASE-p4. Configufation master and slave attached. Log fragments also attached.
I try full replication of o=company, but with the help ACL limit access of replication binddn only ou=dev,o=company branch.
Testing plan: move cn=cacti,ou=groups,ou=corp,o=company to cn=cacti,ou=groups,ou=dev,o=company. move group back from dev to corp.
Result: moving to visible branch (dev): ok. moving from visible branch to unvisible: error, cn=cacti,ou=groups,ou=dev,o=company still exist on slave!
You wrote: "My tests (with v2.4.31 on both provider and consumer) show that syncrepl (refreshAndPersist) works correctly when replicating based on ACL restrictions. OpenLDAP consumer deletes correctly an entry from a branch when the entry is moved to another, invisible by the consumer binddn, branch, and it re-creates it correctly when it is moved back to a visible (based on ACL) branch."
Please, show your replication setup at which it works correctly.
I fount, that if to add ACL #access to dn.subtree="o=company" attrs=entry # by dn.exact="uid=replica,ou=users,o=company" read
moving to unvisible branch working correctly! That side effect can be? What level of access allows this ACL?