LDAP sync frontend in v4.0.x
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Apr 27 17:23:37 CEST 2017
> On Apr 27, 2017, at 4:21 AM, Michael Ströder <michael at stroeder.com> wrote:
>
> Arran Cudbard-Bell wrote:
>> Fancied taking a break from refactoring in v4.0.x.
>>
>> https://github.org/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-available
>> /ldap_sync
>>
>> The idea is that you can "listen" on DNs within your LDAP directory.
>>
>> You then use the updates you receive to create/invalidate cache entries, or send
>> CoA/DM messages to reflect the changes that have occurred in LDAP.
>
> Nifty feature.
>
> But please put a fat note into the comments that the syncrepl client will not see an
> entry getting deactivated if server-side ACLs make deactivated entries invisible to the
> syncrepl client. (That's the reason why I don't use syncrepl in Æ-DIR clients.)
If a modification to an entry removes it from the set of entries accessible by the sync user, the sync user will not receive a notification that the entry has changed?
If so, then yes, that is a gotcha... but also just configure your ACLs correctly... There's no reason the user your binding with should have that sort of restriction.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170427/cd9f63d5/attachment.sig>
More information about the Freeradius-Users
mailing list