Re: Syncrepl and mmr
Borresen, John - 0442 - MITLL wrote:
I'm not trying to implement partial replication.
Missed the smiley?
Your *first* ACL should give read access to the whole tree to the group of
replicas and then pass on all other access checking to the subsequent ACLs (by
* break).
Something like:
limits
group="cn=replicas,dc=example,dc=com"
time=unlimited
size=unlimited
access to
dn.subtree="ou=ampua"
by group="cn=replicas,dc=example,dc=com" read
by * break
Ciao, Michael.
-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com]
Sent: Friday, January 31, 2014 2:15 PM
To: Quanah Gibson-Mount; Borresen, John - 0442 - MITLL; openldap-technical(a)openldap.org
Subject: Re: Syncrepl and mmr
Quanah Gibson-Mount wrote:
> --On Friday, January 31, 2014 1:20 PM -0500 "Borresen, John - 0442 -
MITLL"
> <John.Borresen(a)ll.mit.edu> wrote:
>
>> Thanks, Quanah
>>
>> Not sure what you meant by " Well, it may not have been this issue, but
>> it definite would become an issue then."
>>
>> Was what I did a good thing or not? Curious minds want to know. <lol>
>
> The lack of read permissions for the replication user would absolutely be an
> issue at some point. ;)
To put it the other way round:
It's very hard to implement partial replication correctly. ;-}
Ciao, Michael.
Attachments:
- smime.p7s (application/pkcs7-signature — 2.3 KB)