Humm and taking this one step further I&#39;m guessing that the replication account probably needs to see at least the entryUUID and entryCSN for all accounts to make sure that it can see the records it needs to delete. Okay at least I have some direction to go on now.<div>
<br></div><div>Jeffrey<br><br><div class="gmail_quote">On Fri, Jun 1, 2012 at 9:06 AM, Nick Milas <span dir="ltr">&lt;<a href="mailto:nick@eurobjects.com" target="_blank">nick@eurobjects.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 1/6/2012 8:54 πμ, Jeffrey Crawford wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Are you saying that syncprov looks at the account that is bound and sends deletes if a record would become invisible after a modification?<br>
</blockquote>
<br></div>
I understand the opposite: syncprov will only send add/delete message based on base/scope/filter and not on ACL-visibility. So in essence Howard says that ACL-based filtering in replication does not result in proper results to consumers.<br>

<br>
This is tricky! (I didn&#39;t know either.) It means that we should *not* design our replication based on ACL-filtering (which, unfortunately, we have done too), but, on the contrary, that we should design our DIT so that it can cover our replication needs based on consumer base/scope/filter configuration, and we should design/adapt our ACLs with the above rule in mind.<br>

<br>
Please confirm the above thoughts.<br>
<br>
Thanks,<br>
Nick<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>I fly because it releases my mind from the tyranny of petty things . . .<br><br>— Antoine de Saint-Exupéry<br><br>Jeffrey E. Crawford<br>ITS Application Administrator (IDM)<br>
831-459-4365<br><a href="mailto:jeffreyc@ucsc.edu" target="_blank">jeffreyc@ucsc.edu</a><br>
</div>