> On Nov 3, 2018, at 01:23, Manuela Mandache <[email protected]>
> wrote:
>
> What you want then is selective replication of a multivalued attribute.
> AFAIK, this can't be done in your olcSyncrepl directive, you need to use ACLs
> on your provider to restrict your replication account's access. If you don't
> want to check how this interferes with your other ACL rules, it would be
> something like that:
> olcAccess: to dn.subtree=<your branch> attrs=objectClass val.exact=uvmEduPII
> by dn.exact=<your replication account> none by * break
> early enough in the ACL list to be evaluated before any other rule concerning
> the targeted entries.
> Either you define one of these rules for each of your four objectClass
> values, or you change val.exact=... to val.regex=<regex identifying exactly
> what you want> (guess there is some performance difference, evaluating regex
> is usually rather expensive).
>
> I actually tried something like that some time ago, with slurpd replication,
> and it did not work properly when the multivalued attribute was modified on
> the provider, I don't know how syncrepl manages it. Also, your restriction
> concerns a schema attribute, there might be dependencies forbidding this -
> your excluded objectClasses must be AUXILIARY to start with.
>
> Cheers,
>
> Manuela
It actually turns out that it is best to leave the objectClass values there
(I've discovered I have customers who are using the presence of the objectClass
value as an indicator of eligibility for some service).
- Frank
