LDAP sync frontend in v4.0.x

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Apr 27 17:23:37 CEST 2017


> On Apr 27, 2017, at 4:21 AM, Michael Ströder <michael at stroeder.com> wrote:
> 
> Arran Cudbard-Bell wrote:
>> Fancied taking a break from refactoring in v4.0.x.
>> 
>> https://github.org/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-available
>> /ldap_sync
>> 
>> The idea is that you can "listen" on DNs within your LDAP directory.
>> 
>> You then use the updates you receive to create/invalidate cache entries, or send
>> CoA/DM messages to reflect the changes that have occurred in LDAP.
> 
> Nifty feature.
> 
> But please put a fat note into the comments that the syncrepl client will not see an
> entry getting deactivated if server-side ACLs make deactivated entries invisible to the
> syncrepl client. (That's the reason why I don't use syncrepl in Æ-DIR clients.)

If a modification to an entry removes it from the set of entries accessible by the sync user, the sync user will not receive a notification that the entry has changed?

If so, then yes, that is a gotcha... but also just configure your ACLs correctly... There's no reason the user your binding with should have that sort of restriction.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170427/cd9f63d5/attachment.sig>


More information about the Freeradius-Users mailing list