[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl and memberof do not work well together

To: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Subject: Re: syncrepl and memberof do not work well together
From: "John Alex." <alexoz66@gmail.com>
Date: Mon, 18 May 2015 14:27:34 +0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=aQifzq8qxxhQzPmWnMg0zSGsbPxtF2PAUc9WrFSUm+E=; b=ZW+JLc7d+mMccMe0runZwyYvI6fp5klLNiRBpnQDn7EJRcUufvUYD51AmDBcvPoqtJ LI2zQ9R96ODLL+Jir/+xZKFL8eM3nxKAisfmjO6T+JODuIgPMggCl4fY14+9RXArTz8V vCLTpoC27ijDMwwYlhffM/WB72ruVKl5h+3xZjnzoveV1zlMeW4QmTrLh0gZb6w6u7GB p1U4vM0ExxukyzI6ROw+LZAerBpq2/r1L7EISbRp1N/+cUfJzCtXHxPxSOXEqND3XDnV HDokAGtt+FONwoNBUL+gA6A1sjhlEyaoSxD1/hGC4qQZo04vc3S2kPw+lHQ8lhP3qYA7 R87A==
In-reply-to: <5559C2BD.4080801@stroeder.com>
References: <5559BC63.1020301@gmail.com> <5559C2BD.4080801@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

Hi Michael,

Like I wrote in my previous email, I have configured the memberof overlay in the consumer
too and it *does* work when adding/removing members from groups. But when an entry that
contains "memberOf" values is modified, these values are deleted in the consumer.

The configuration of the consumer db is nothing special but here it is anyway:

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/db/openldap-data/testing
olcSuffix: dc=example,dc=com
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * break
olcAccess: {1}to attrs=userPassword by anonymous auth
olcAccess: {2}to dn.base="dc=example,dc=com" by * read
olcRootDN: cn=admin,dc=example,dc=com
olcDbIndex: objectClass eq
olcDbMaxSize: 209715200
olcSyncrepl: {0}rid=010 provider="ldaps://ldap.example.com" searchbase="dc=e
 xample,dc=com" type=refreshAndPersist retry="5 12 30 10 300 +" schemachecki
 ng=on bindmethod=simple binddn="cn=ldaptest,ou=admins,dc=example,dc=com" cr
 edentials=******* exattrs=memberOf tls_cacert="/etc/certs/ca.pem"

dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}memberof



On 05/18/2015 01:45 PM, Michael Ströder wrote:
> John Alex. wrote:
>> I have a provider-consumer configuration (both at version 2.4.40) where the consumer uses
>> simple syncrepl (no delta sync). I am using the memberof overlay in the provider, and,
>> having read the slapo-memberof manpage and ITS#7400, I made sure to exclude "memberof"
>> from the synced attributes,
> 
> Explicitly excluding "memberof" should not be necessary with 2.4.40.
> 
>> The problem occurs when a user entry is modified in any way, e.g. by changing a password,
>> adding a description, etc. From what I understand, when a change occurs in an entry,
>> non-delta syncrepl causes the entire entry to be resynced, not just the modified
>> attributes. The result is that the "memberof" attributes of this entry on the consumer are
>> removed.
>>
>> Is this the intended behavior?
> 
> No, this is not intended. But note that you have to run slapo-memberof on each replica
> since "memberof" attribute is maintained locally.
> 
> Without seeing you config it's impossible to say more.
> 
> Ciao, Michael.
>

Follow-Ups:
- Re: syncrepl and memberof do not work well together
  - From: Michael Ströder <michael@stroeder.com>

References:
- syncrepl and memberof do not work well together
  - From: "John Alex." <alexoz66@gmail.com>
- Re: syncrepl and memberof do not work well together
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: search in ldap from java is getting stuck
Next by Date: Re: syncrepl and memberof do not work well together
Index(es):
- Chronological
- Thread