Re: slapo-memberof(5) confusing documentation

Michael, hello.

On 9 Sep 2019, at 16:16, Michael Ströder wrote:

On 9/9/19 4:06 PM, Norman Gray wrote:

However, immediately after that, the text says:

Note that slapo-memberOf is not compatible with syncrepl based replication, and should not be used in a replicated environment. An alternative is to use slapo-dynlist to emulate slapo-memberOf behavior.

This seems to flatly contradict (my understanding of) the first part of the paragraph.

The problem is that in syncrepl refresh phase entries can be replicated in any order. So if a group entry comes in before the member entries are present you will see some warnings in the log and the entries may not be consistent.

See ITS#8613 for details:

Indeed: I quoted ITS#8613 which says 'slapo-memberOf overlay is not safe to use in a replicated environment', because of the ordering issue that you've mentioned here.

It seems that one can use the memberof overlay if-and-only-if one has separately done something to deal with the ordering (which would be tricky) or one has some means of completely avoiding 'refresh' mode in the sync (which would be tricky). In practice, that looks very much like a 'no', and the contradiction in the manpage still seems to be present.

For what it's worth, the manpage text looks as if the 'Note that...' sentence were added at some point (possibly in response to ITS#8613?) without amending the text immediately before it, so that the result is a little garbled.

Best wishes,


Norman Gray  :  https://nxg.me.uk