[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: memberof overlay replicating memberOf attribute?
- To: "'Quanah Gibson-Mount'" <quanah@zimbra.com>, <openldap-technical@openldap.org>
- Subject: RE: memberof overlay replicating memberOf attribute?
- From: "Paul B. Henson" <henson@acm.org>
- Date: Fri, 11 Oct 2013 17:54:10 -0700
- Content-language: en-us
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:thread-index :content-language; bh=byOXeaTXGsLHoqypf0dhjZG3K0EBUMkeuOPR+VE4LVk=; b=Eg8pjvG42VRmyuel4xWTjnOC6Nt2rQe5QlCXBXBPHwLYboBBxUTLxoyxSySLqttb7y mrVKsdoAFfbxeB4s8IDaJT4uTSnIfSrxfMBhGaxzfvGJrEXxQYk/lL5Kjq4zDuzyanDB MUoGW6pwD4ixaX+Nu3nryz+DcKzfJ4PYugigVbeSkFA4MVDzUpJnpzfCUbNgU5bpYvfQ iRfhxTwFFtczY9iKVN5Iw70J5XVSB1Uf3wNgEGEmoJJB0ATtAGdfXUUuImRAiC1jaA5k bHknNpYntj2OZ5i4DO2s5HCDX8OePscwrf3h0eSUBVFUh1zQU1u0HbKYi0ECLXxfN3iH uNOQ==
- In-reply-to: <94B27BB30AF92736A454805E@[192.168.1.93]>
- References: <fedc01cec6bd$7dbba090$7932e1b0$@acm.org> <94B27BB30AF92736A454805E@[192.168.1.93]>
- Thread-index: AQJ4pr6W+hn8qzEiW0JcYF9hbTDrwQJZ4z1FmIms1lA=
> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
> Sent: Friday, October 11, 2013 1:49 PM
>
> > This seems contrary to the documentation and I found it confusing. Am I
> > missing something?
>
> The memberof overlay should be loaded on all servers. Also see the ITS I
> just referenced to you...
In the ticket, there is some discussion of whether or not memberOf should be
a "DSA-specific attribute" and hence not replicated; the discussion was not
resolved, but I would vote for yes. The slapo-memberof man page says:
"The maintenance operations it performs are internal to the server on which
the overlay is configured and are never replicated. Replica servers
should be configured with their own instances of the memberOf overlay if it
is desired to maintain these memberOf attributes on the replicas."
Considering memberOf is not part of any standard schema, and only valid if
the memberof overlay is loaded, it seems would make sense for it not to be
replicated to remote servers that might not know what to do with it. If for
some reason that won't be done, then ideally at least the documentation
could be updated to make it clear that the attribute *is* replicated, and
that all of the servers should be reconfigured to include the overlay before
any group membership is updated to prevent an invalid attribute from showing
up...
Thanks.