On 22/08/2012 12:00, Rein Tollevik wrote:
On 22.08.12 10:46, Mark Coetser wrote:
On 22/08/2012 10:39, Howard Chu wrote:
Mark Coetser wrote:
on some of the consumers, I have multiple syncrepl configs so that I replicate specific subdivision data to those servers.
That is not supported. You can only use multiple consumers in the same database if they are all pointing at different providers (and each of those providers uses a unique serverID).
Can I split them into separate databases on the consumer? Or whats the correct way of doing what I am trying to achieve?
Use a single syncrepl stanza on these consumers too, replicating your toplevel cn=company dn. Add acl's on the provider which limits the user these consumers binds as to only see those sub-trees you wish them to see.
Rein
Hi
Please could someone confirm that these acls would be secure, I am trying to allow services like pam/nss on the provider to still function and have access to the entire tree, then allow the replica user from the consumer to see the base of the tree and the whole of the subdivision tree including userPassword,shadowLastChange, also could someone assist with an example of a regex acl that I could use to say that "cn=replica,*" has read access to everything in that users subtree?
access to attrs=userPassword,shadowLastChange by dn.base="cn=admin,dc=company" write by dn.base="cn=replica,dc=subdivision,dc=company" read by anonymous auth by self write by * none
access to dn.base="" by peername.regex=127.0.0.1 read by * none
access to dn.base="dc=company" by dn.base="cn=replica,dc=subdivision,dc=company" read
access to dn.subtree="dc=subdivision,dc=company" by dn.base="cn=replica,dc=subdivision,dc=company" read
access to * by dn.base="cn=admin,dc=company" write by peername.regex=127.0.0.1 read by * none
openldap-technical@openldap.org
-
Mark Coetser