[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication from OpenLDAP to Fedora 389 DS

To: openldap-technical@openldap.org
Subject: Re: Replication from OpenLDAP to Fedora 389 DS
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Tue, 25 Feb 2014 11:04:35 +0100
In-reply-to: <CAJBgHoZb9LcAMLp9hETvxvunHC-594_SLdpd6WXtMKoH85b7Dg@mail.gmail.com>
Organization: AVCI
References: <CAJBgHoZb9LcAMLp9hETvxvunHC-594_SLdpd6WXtMKoH85b7Dg@mail.gmail.com>

Am Mon, 24 Feb 2014 22:08:30 -0300
schrieb Italo Valcy <italovalcy@gmail.com>:

> Dear all,
> 
> I`m trying to setup replication from OpenLDAP to Fedora 389 DS. It
> used to work by running slurpd in a push mode initiated by the
> provider. With OL 2.4 this seems to be replaced by syncrepl proxy
> mode [1], which works by defining a LDAP backend that will write
> updates on the consumer from data received from syncrepl engine
> (provider), acting as a proxy (examples in [1]).
> 
> This is not working in case of sincronization from OL to 389 DS,
> because operational attributes (entryCSN, structuralObjectClass,
> entryUUID, etc.) is not accepted in 389 DS, giving the following
> error in 389 DS:
> 
> [22/Feb/2014:18:17:25 -0300] - Entry
> "uid=XXX,dc=sub,dc=example,dc=com" -- attribute "entrycsn" not allowed
> 
> I've tried to filter those operational attributes on synrepl, by using
> "exattrs='structuralObjectClass,entryUUID,entryCSN'" but it didnt
> help. Another approach (the right one, see bellow) would be disable
> "lastmod", but then syncprov overlay complains and don't starts
> (lastmod TRUE is required by syncprov).
> 
> From LDAP backend man pages, it already gives a feeling that when
> proxying, then lastmod should be OFF (and this is the default
> behavior):
> 
> "Note: In early versions of back-ldap it was recommended to always set
> 'lastmod  off' for ldap and meta databases.  This was required
> because operational  attributes related  to  entry creation and
> modification should not be proxied, as they could be mistakenly
> written to the target server(s), generating an error."
> 
> So, is there any way to don't export the operational attributes from
> OL in the above scenario?

RFC 3673 describes an 'All Operational Attributes' mechanism, which is
defined as '+', while an '*' defines all user attributes.

man slapd-config(5) comments in the olcSyncrepl part on default value
'attrs=*,+'. Just define attrs=*

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- Re: Replication from OpenLDAP to Fedora 389 DS
  - From: Italo Valcy <italovalcy@gmail.com>

References:
- Replication from OpenLDAP to Fedora 389 DS
  - From: Italo Valcy <italovalcy@gmail.com>

Prev by Date: Re: Replication from OpenLDAP to Fedora 389 DS
Next by Date: Re: Replication from OpenLDAP to Fedora 389 DS
Index(es):
- Chronological
- Thread