[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdChangedTime/authTimestamp, MMR etc.

Forgot this info:

OpenLDAP 2.4.39 with back-mdb

refreshAndPersist with keepalive set,
authc with SASL/EXTERNAL based on TLS client certs

On Fri, 15 Aug 2014 12:21:30 +0200 "Michael Ströder" <michael@stroeder.com>
> HI!
> I have a replication topology with providers running with MMR and a layer of
> r/o consumers..
> - spread across three data centers
> - in two different countries (DE and foreign country)
> Network traffic between the countries has higher latency so consumers are
> only accessing providers within the same country.
> Write operations go nearly 100% to a single provider in Germany.
> All systems are using these overlays:
> - slapo-ppolicy (mostly for password expiry)
> - slapo-lastbind overlays
> - slapo-accesslog (yes, also on consumers)
> Now occasionally contextCSN values differ most times for a couple of minutes
> on the consumers in the foreign country from their local providers.
> I cannot tell exactly which conditions are causing this. But I observed that
> most times there was a login failure on the provider in Germany which results
> in 'pwdChangedTime' being set and replicated to the consumers. Most times
> followed by 'authTimestamp' being correctly set.
> So I wonder whether the differences of the contextCSN values could be caused
> by 'pwdChangedTime' and 'authTimestamp' being replicated to providers but not
> to consumers.
> Any clue? Thanks in advance.
> Ciao, Michael.

Michael Ströder                 Klauprechtstr. 11
Dipl.-Inform.                   D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316           Mobil: +49 170 2391920
E-Mail: michael@stroeder.com    http://www.stroeder.com