Re: troubles with back-ldap based replication

[DT Piotr Wadas <pwadas@dtpw.pl>]

On Tue, 14 Sep 2010, DT Piotr Wadas wrote:

> 
> 
> Hello.
> 
> I have some troubles setting syncrepl + back-ldap push based
> replication, as described on
> 
> http://www.openldap.org/doc/admin24/replication.html#LDAP Sync Replication
> 
> I'm using current stable openldap - the problem is, when I set up daemons 
> (using the same slapcat output file) and modify e.g. "description" 
> attribute on master side, back-ldap pushes out system attributes like 
> entryCSN, creatorsName, etc, which causes modify operation to fail on 
> final consumer side.
> 
> conn=1000 op=33 MOD attr=creatorsName createTimestamp description entryCSN
> conn=1000 op=33 RESULT tag=103 err=19 text=creatorsName: no user modification allowed
> 
> Is it some ACL-related matter, should I create some ACL, which
> denies to read of system attributes on master-side, to avoid replicating
> it with syncrepl to local back-ldap ? 
> 
> In such push-based scenario ( in opposite to classic provider-consumer 
> syncrepl), final consumer does not know actually that it is a replica, 
> it's just receiving modify operation, how do I prevent read-only system 
> attributes from being pushed from back-ldap to final replica?
> 
> Regards,
> DT
> 

man slapd-ldap says:

>>Note: In early versions of back-ldap it was recommended to always set 
lastmod  off for ldap and meta databases.  This was required because operational 
attributes related to entry creation and modification should not be 
proxied, as they could  be mistakenly written to the target server(s), 
generating an error. The current implementation automatically sets lastmod 
to off, so its use is redundant and should be omitted.<<

Anyway, I'm using newest stable (2.3.23), and this behaviour seems to 
happen. Setting "lastmod off" does not work -

syncprov_db_open: invalid config, lastmod must be enabled

Regards,
DT