LDAP sync frontend in v4.0.x
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Apr 27 19:08:52 CEST 2017
> On Apr 27, 2017, at 12:15 PM, Michael Ströder <michael at stroeder.com> wrote:
>
> Arran Cudbard-Bell wrote:
>>
>>> On Apr 27, 2017, at 4:21 AM, Michael Ströder <michael at stroeder.com> wrote:
>>>
>>> Arran Cudbard-Bell wrote:
>>>> Fancied taking a break from refactoring in v4.0.x.
>>>>
>>>> https://github.org/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-available
>>>> /ldap_sync
>>>>
>>>> The idea is that you can "listen" on DNs within your LDAP directory.
>>>>
>>>> You then use the updates you receive to create/invalidate cache entries, or send
>>>> CoA/DM messages to reflect the changes that have occurred in LDAP.
>>>
>>> Nifty feature.
>>>
>>> But please put a fat note into the comments that the syncrepl client will not see
>>> an entry getting deactivated if server-side ACLs make deactivated entries invisible
>>> to the syncrepl client. (That's the reason why I don't use syncrepl in Æ-DIR
>>> clients.)
>>
>> If a modification to an entry removes it from the set of entries accessible by the
>> sync user, the sync user will not receive a notification that the entry has changed?
>
> Yupp.
>
> If your use-case is updating the cache then the entry will just expire normally later but
> will not be removed immediately.
>
>> If so, then yes, that is a gotcha... but also just configure your ACLs correctly...
>> There's no reason the user your binding with should have that sort of restriction.
>
> For some reasons I consider my de-activation ACLs to be quite correct. ;-]
Because you don't want the fact that a user has been disabled to be mirrored to other instances of the same directory?
At least in OpenLDAP it's perfectly fine to have a dedicated user with its own set of ACLs which you can bind as if you want to perform replication.
I don't understand your point...
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170427/431ec55b/attachment.sig>
More information about the Freeradius-Users
mailing list