RE: slapd consumer deletes entries

["Clowser, Jeff" <jeff_clowser@fanniemae.com>]

> This is due to a common mistake of using "attrs=*", which removes the 
> operational attributes that syncrepl uses to track changes.  
> I really wish 
> I knew where people got this from, because 99.999999% of the 
> time you do 
> not want to use this value.  You should not specify the 
> attrs= line at all 
> in a syncrepl configuration unless you really really need to limit 
> replication in some way.  If you want to keep the attrs line, 
> change it to 
> attrs="*,+" so that all attributes are replicated.

The unfortunate reality is that even that doesn't always help.
If operational attributes are set by an overlay without updating the
entrycsn, 
etc, they still won't be replicated.  Worse, if something else in an
entry 
changes that causes replication for that entry, these op attrs *may*
replicate
along with the other change (I think it depends on whether or not you
use
delta sync), making operational attribute replication entirely
unreliable and unpredictable.  Learned this the hard way with password
policy
attributes (supposedly this has been fixed for ppolicy, but nothing
preventing
this from happening elsewhere/in other plugins).  Until and unless core
code always updates this with a write to the db, without any way for an
overlay to write to the db without updating the entrycsn/etc, this will
always
be unreliable.