LDAP sync frontend in v4.0.x
Michael Ströder
michael at stroeder.com
Thu Apr 27 18:15:35 CEST 2017
Arran Cudbard-Bell wrote:
>
>> On Apr 27, 2017, at 4:21 AM, Michael Ströder <michael at stroeder.com> wrote:
>>
>> Arran Cudbard-Bell wrote:
>>> Fancied taking a break from refactoring in v4.0.x.
>>>
>>> https://github.org/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-available
>>> /ldap_sync
>>>
>>> The idea is that you can "listen" on DNs within your LDAP directory.
>>>
>>> You then use the updates you receive to create/invalidate cache entries, or send
>>> CoA/DM messages to reflect the changes that have occurred in LDAP.
>>
>> Nifty feature.
>>
>> But please put a fat note into the comments that the syncrepl client will not see
>> an entry getting deactivated if server-side ACLs make deactivated entries invisible
>> to the syncrepl client. (That's the reason why I don't use syncrepl in Æ-DIR
>> clients.)
>
> If a modification to an entry removes it from the set of entries accessible by the
> sync user, the sync user will not receive a notification that the entry has changed?
Yupp.
If your use-case is updating the cache then the entry will just expire normally later but
will not be removed immediately.
> If so, then yes, that is a gotcha... but also just configure your ACLs correctly...
> There's no reason the user your binding with should have that sort of restriction.
For some reasons I consider my de-activation ACLs to be quite correct. ;-]
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170427/4a9aa33a/attachment.bin>
More information about the Freeradius-Users
mailing list