I would like to replicate only some OUs under the baseDN ; ou=people and ou=group,ou=system, but not the remaining of OUs below ou=system => ou=Hosts , ou=Networks, ou=Protocol. How can I remove those branches to replicate ? my actual syncrepl config that replicate all the subtree branches: syncrepl rid=001 provider=ldaps://master.domain.fr type=refreshAndPersist searchbase="dc=int-evry,dc=fr" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=on bindmethod=simple retry="60 10 300 +" binddn="cn=replic,ou=System,dc=int-evry,dc=fr" credentials="secret" updateref ldaps://master.domain.fr:636

Le 20/03/2012 12:37, anax a écrit : Thanks, I achieved a partial replication to only wanted branches, as you suggested by restricting ACL to the replica's account on the branches/attributes I want. However that's not an easy config to set up , I noticed that as soon as I forgot to mention an attribute in a subtree object, all the objects in that subtree aren't replicate, that's the same for a branches DN node , I initially forgot the attribute associatedDomain which was part of that object for example, then that object node and all subtree objects below weren't replicated . So I ended with many more ACLs like that : #ou=system,dc=int-evry,dc=fr BaseDN ACL to get ou=system object node access to dn.exact="ou=system,dc=int-evry,dc=fr" by dn="cn=admin,dc=int-evry,dc=fr" write by dn="cn=replic,ou=System,dc=int-evry,dc=fr" read by users read #Goups and associeted attributes access to dn.subtree="ou=Group,ou=System,dc=int-evry,dc=fr" attrs=cn,sn,memberuid,member,mail,description,entry,objectclass,associatedDomain,gidNumber,ou by dn="cn=admin,dc=int-evry,dc=fr" write by dn="cn=replic,ou=System,dc=int-evry,dc=fr" read by users read How can I check performance issue with all the ACL I added ? is there a program to test / bench the ACLs or optimise them ? Thanks .