[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6329) memberof overlay doesn't update entryCSN

To: openldap-its@OpenLDAP.org
Subject: (ITS#6329) memberof overlay doesn't update entryCSN
From: msmith@cbnco.com
Date: Tue, 13 Oct 2009 14:04:48 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Michael Smith
Version: 2.4.18-55.1
OS: SLES11 (SUSE)
URL: 
Submission from: (NULL) (207.164.182.8)


Hi,

It looks like the memberof overlay doesn't update a user object's entryCSN when
a group object is changed. I believe this causes trouble with syncrepl, at least
in a multi-master configuration: if one node is down when the group object is
changed, it won't know it needs to update the user object when it comes back.

I'm a little confused because while the entryCSNs don't change on the server
where the group is updated, they do change on the other servers in the
replication group. For example, if I add a user to a group on node 2, the user's
entryCSN on node 2 might be "20091008032402.932100Z#000000#002#000000": old
timestamp, correct server ID. On node 1 the entryCSN might be
"20091008032142.915412Z#000000#002#000000": current timestamp, correct server
ID.

I'm using syncrepl with refreshAndPersist and syncprov. The memberof overlay is
using its default configuration. In the stacking order, memberof comes before
syncprov, but it behaved the same way in both orders. All nodes are configured
with memberof and syncprov. The servers' clocks are in sync (NTP).

There was a thread on openldap-software here:

http://thread.gmane.org/gmane.network.openldap.general/45790/focus=45808

This is what my configuration looks like on node 1:

dn: cn=config
# ...
olcServerID: 1

dn: olcDatabase={1}hdb,cn=config
# ...
olcAccess: {0}to attrs=userPassword by self write
    by dn.subtree="ou=service,dc=dom" read by * auth
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to attrs=userPKCS12 by self read by * none
olcAccess: {3}to * by * read
olcDbIndex: objectclass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcLimits: {0}dn.subtree="ou=service,dc=dom" time.soft=unlimited
    time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncrepl: {0}rid=002 provider=ldap://ldap2.dom
    binddn="cn=repluser,ou=service,dc=dom" bindmethod=simple
    credentials=xxxxxx searchbase="dc=dom" attrs="*,+"
    type=refreshAndPersist schemachecking=off
    tls_cacert=/etc/openldap/ssl/ca.crt tls_reqcert=demand
    interval=00:00:05:00 retry="60 +"
olcMirrorMode: TRUE

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {1}memberof

dn: olcOverlay={1}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcSyncProvConfig
olcSpCheckpoint: 100 10
olcSpSessionlog: 1000
olcOverlay: {0}syncprov

Node 2 looks the same, but with olcServerID: 2 and provider=ldap://ldap1.dom.

Thanks,
Mike

Prev by Date: Re: (ITS#6320)
Next by Date: [Fwd: Re: [Lam-public] LDAP sizelimit exceeded, not all entries are shown.]
Index(es):
- Chronological
- Thread