Emmanuel Dreyfus wrote:
Howard Chu <hyc@symas.com> wrote:How is it supposed to work?Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it's never gotten much attention.What do people use, then?As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug?Look into chaining...I have it configured already. Do you confirm this is a bug to be fixed in the chain overlay?
Not necessarily. Every write to a well-configured replica should be rejected with a referral. The chain overlay will intercept the referral and chase it, applying the modification to the master. You need to check why no referral is returned, since the master's value eventually overrides the replica's. Either the configuration uses an identity that bypasses shadow checks (like the updatedn) or some SASL-related code (slap_auxprop_store?) is performing an internal modification with some special flag that bypasses shadow checks. I'm not going to debug this issue right now (no time, sorry), but you should look at something along these lines.
p.