LDAP sync frontend in v4.0.x

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Apr 27 19:08:52 CEST 2017

> On Apr 27, 2017, at 12:15 PM, Michael Ströder <michael at stroeder.com> wrote:
> Arran Cudbard-Bell wrote:
>>> On Apr 27, 2017, at 4:21 AM, Michael Ströder <michael at stroeder.com> wrote:
>>> Arran Cudbard-Bell wrote:
>>>> Fancied taking a break from refactoring in v4.0.x.
>>>> https://github.org/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-available
>>>> /ldap_sync
>>>> The idea is that you can "listen" on DNs within your LDAP directory.
>>>> You then use the updates you receive to create/invalidate cache entries, or send
>>>> CoA/DM messages to reflect the changes that have occurred in LDAP.
>>> Nifty feature.
>>> But please put a fat note into the comments that the syncrepl client will not see
>>> an entry getting deactivated if server-side ACLs make deactivated entries invisible
>>> to the syncrepl client. (That's the reason why I don't use syncrepl in Æ-DIR
>>> clients.)
>> If a modification to an entry removes it from the set of entries accessible by the
>> sync user, the sync user will not receive a notification that the entry has changed?
> Yupp.
> If your use-case is updating the cache then the entry will just expire normally later but
> will not be removed immediately.
>> If so, then yes, that is a gotcha... but also just configure your ACLs correctly...
>> There's no reason the user your binding with should have that sort of restriction.
> For some reasons I consider my de-activation ACLs to be quite correct. ;-]

Because you don't want the fact that a user has been disabled to be mirrored to other instances of the same directory?

At least in OpenLDAP it's perfectly fine to have a dedicated user with its own set of ACLs which you can bind as if you want to perform replication.

I don't understand your point...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170427/431ec55b/attachment.sig>

More information about the Freeradius-Users mailing list