On Tue, 15 Jan 2013 13:37:06 GMT [email protected] wrote > On 01/15/2013 01:56 PM, [email protected] wrote: > > On Tue, Jan 15, 2013 at 12:18:59PM +0000, [email protected] wrote: > >> Full_Name: > >> Version: RE24 6f33e2c > >> OS: > >> URL: > >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) > >> > >> > >> It seems that operational attributes generated by slapo-allowed are > >> replicated. > > > Works as designed. These attributes are directoryOperation, not > > DSA-specific. > > I see the point; since they're generated by the overlay in response to > search operations, either they should not be replicated, or replication > should accept them. > > Their value depends on ACLs, so in order to reflect ACLs on a specific > DSA they should be generated; however, I concur ACLs should not depend > on the specific DSA of a replication setup.
The values depend on local ACLs *and* current authz-DN. => These attributes MUST NOT be replicated. Ciao, Michael.
