On 05/29/2012 07:25 PM, Nick Milas wrote:
On 29/5/2012 9:01 ÏÎ¼, Konstantin Menshikov wrote:
> somebody? anybody?
I would say: if you can use test servers with 2.4.31 and BDB >=
4.6.21, then you could try to reproduce by doing some experiments
(moving to branch visible by consumer binddn, moving to branch not
visible by consumer) and report results with excerpts from the logs.
I try use openldap-server-2.4.31 and db47-188.8.131.52 on FreeBSD
Configufation master and slave attached.
Log fragments also attached.
I try full replication of o=company, but with the help ACL limit access
of replication binddn only ou=dev,o=company branch.
move cn=cacti,ou=groups,ou=corp,o=company to
move group back from dev to corp.
moving to visible branch (dev): ok.
moving from visible branch to unvisible: error,
cn=cacti,ou=groups,ou=dev,o=company still exist on slave!
You wrote: "My tests (with v2.4.31 on both provider and consumer) show
that syncrepl (refreshAndPersist) works correctly when replicating based
on ACL restrictions. OpenLDAP consumer deletes correctly an entry from a
branch when the entry is moved to another, invisible by the consumer
binddn, branch, and it re-creates it correctly when it is moved back to
a visible (based on ACL) branch."
Please, show your replication setup at which it works correctly.
I fount, that if to add ACL
#access to dn.subtree="o=company" attrs=entry
# by dn.exact="uid=replica,ou=users,o=company" read
moving to unvisible branch working correctly!
That side effect can be?
What level of access allows this ACL?