Hi all, I'm trying to do a multi-master set up with special permissions (access controls), but I see replications issues.
As this is multi master, any way I go about replicating both the consumer and the provider will have an accessControlSubentry governing the replicated area. Log excerpt from the replication client (server where the change wasn't done): DEBUG [org.apache.directory.server.CONSUMER_LOG] - ------------- starting handleSearchResult ------------ DEBUG [org.apache.directory.server.CONSUMER_LOG] - assigning the cookie from sync state value control: rid=001,csn=20140423074926.153000Z#000000#001#000000 DEBUG [org.apache.directory.server.CONSUMER_LOG] - state name MODIFY DEBUG [org.apache.directory.server.CONSUMER_LOG] - entryUUID = a4037097-de9a-486d-a069-2d0fe75ceda4 DEBUG [org.apache.directory.server.CONSUMER_LOG] - modifying entry with dn uid=pontusf,ou=People,dc=uppmax,dc=uu,dc=se ERROR [org.apache.directory.server.CONSUMER_LOG] - ERR_52 Cannot modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' #011DESC 'Used to track a subentry associated with access control areas' #011EQUALITY distinguishedNameMatch #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 #011NO-USER-MODIFICATION #011USAGE directoryOperation ) org.apache.directory.api.ldap.model.exception.LdapNoPermissionException: ERR_52 Cannot modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' #011DESC 'Used to track a subentry associated with access control areas' #011EQUALITY distinguishedNameMatch #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 #011NO-USER-MODIFICATION #011USAGE directoryOperation ) #011at org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:721) #011at org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1186) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:131) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:253) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.admin.AdministrativePointInterceptor.modify(AdministrativePointInterceptor.java:1456) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:277) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:820) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:319) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:834) #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) #011at org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:216) #011at org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:883) #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:1215) #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:416) #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:778) #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:565) #011at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:739) #011at java.lang.Thread.run(Thread.java:744) DEBUG [org.apache.directory.server.CONSUMER_LOG] - ------------- Ending handleSearchResult ------------ I would have expected these to go away after setting ads-replattributes for the consumer (and restarting), but that didn't seem to affect it. That seems odd, but I really don't want to list all the attributes to replicate anyway so I haven't investigated further. Looking at protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/consumer/ReplicationConsumerImpl.java in directory-server, the obvious fix seems to be adding a SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT in MOD_IGNORE_AT as I can see no reason these should ever be replicated. Am I missing something or should I just go ahead and file a bug about this? cheers, Pontus
