--On Friday, June 30, 2017 9:08 AM +0300 Zeus Panchenko zeus@ibs.dn.ua wrote:
Quanah Gibson-Mount quanah@symas.com wrote:
Wouldn't it be simpler to define ACLs on the master that limit what the replication identity has access to that matches your filters?
emm ... I was sure I can not do that on the master side ... just I try do that, I receive full data ...
Then likely your ACLs were incorrect?
looks like some more permittive acl works for the replica ... can I somehow know which acl matched the replica? But I was trying to place replABC ACLs to the end of the list and still was not able to limit data according the filter
I suggest reading the slapd.access(5) man page and the OpenLDAP Admin guide. As clearly noted in the documentation, ACLs (generally) stop processing on the *first* match. So, depending on your ACLs, adding your ACLS at the end of the list probably meant they were never evaluated.
I would also note that your stanza limiting what attrs are replicated is missing the operational attributes that are necessary for sync replication to function, so I would fully expect errors.
do you mean entryCSN and entryUUID ?
Yes, sorry, I missed them at the start of the list of attributes. ;) So that part seems ok.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount quanah@symas.com wrote:
emm ... I was sure I can not do that on the master side ... just I try do that, I receive full data ...
Then likely your ACLs were incorrect?
yes, they were
at last I was able to fix that and get it working the way (I believe) I want:
---[ slave configuration quotation start ]------------------------------------------- ... syncrepl rid=0 ... searchbase="dc=example" ... ... ---[ slave configuration quotation end ]-------------------------------------------
---[ master configuration quotation start ]------------------------------------------- ... access to dn.children="cn=example-accesslog" by dn.one="ou=repl,ou=system,dc=example" read by * break
access to dn.regex="^uid=(.*)@(.*),authorizedService=(mail|xmpp)@(.*),uid=(.*),ou=People,dc=example$" attrs=entry,entryCSN,entryUUID,objectClass,cn,o,uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,userPassword,creatorsName,createTimestamp,modifiersName,modifyTimestamp,mail,rfc822MailMember,sn,telephoneNumber,authorizedService,mu-mailBox by dn.exact="uid=replABC,ou=repl,ou=system,dc=example" read by * break
access to dn.regex="ou=ABC,ou=Sendmail,dc=example|ou=ABC,ou=DHCP,dc=example" by dn.exact="uid=replABC,ou=repl,ou=system,dc=example" read by * stop ... # the final ACL access to * by set="[cn=admin,ou=group,dc=example]/memberUid & user/uid" write by peername.ip=127.0.0.1 read by self read by users search by * break ... ---[ master configuration quotation end ]-------------------------------------------
thank you all, for help!
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Zeus Panchenko