> [email protected] wrote: >> Full_Name: >> Version: 2.4.26 >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (84.163.26.156) >> >> >> It seems that attribute auditContext is replicated to consumers if >> there's an >> accesslog DB configured at the provider. IMO this does not make sense >> since the >> accesslog DB is not replicated and one might not want to load >> slapo-accesslog >> module at all in the consumer's config. >> >> In a 2-way MMR setup with accesslog DB attached to both master providers >> the >> auditContext contains two values for auditContext and even the same one. > > Since a syncrepl operation is a regular LDAP search, the provider sends > everything that matches the search request. Probably we should be > filtering > out DSA-specific opattrs at the consumer side.
Agree. User-wise, there could be a (set of) configuration option(s) that result in a safe default filtering, while allowing "expert" users (or for experimental reasons) to replicate things arbitrarily. Alternatives: 1) protect auditContext with ACLs at the producer's side 2) document the need to use filter="(!(objectClass=auditContext))" (or whatever is appropriate) when configuring the consumer. p.
