I would like to be able to syncrepl only a subtree of cn=config, namely cn=schema,cn=config:
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to * by * none
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}just_another_secret
olcSyncUseSubentry: FALSE
olcSyncrepl: {0}rid=001 provider=ldap://provider.example.org binddn="cn=consumer
,dc=example,dc=org" bindmethod=simple credentials="secret" searchbase="cn=sch
ema,cn=config" type=refreshOnly filter="(!(cn=*core))" interval=00:00:30:00
retry="5 5 30 +" timeout=1 scope=sub schemachecking=on starttls=yes
But, if I define cn=config as a shadow tree (even for a subtree, see searchbase) I am not longer allowed to modify it.
My error is:
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: shadow context; no update referral
even if I try to modify the attribute 'olcLogLevel', located in cn=config which is up-level respect the syncrepl-icated cn=schema,cn=config.
Which is the correct way to syncrepl just a subtree of cn=config?
0 Answers