Full_Name: Alex Schumann Version: 2.4.11 OS: freebsd 7.0-release-p3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (128.101.220.229)
We are using nis.schema's nisNetgroupTriple to hold unix netgroups. When we make a change, we do so using the following code snipit:
$mesg = $ldap_master->modify ( $dn, replace => [ 'nisNetgroupTriple' => @{$groups{$g}} ] );
The master accepts this change, but all the syncrepl slaves immediately start failing:
Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 be_search (0) Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 cn=ng115,ou=Netgroup,dc=suppressed,dc=suppressed,dc=suppressed Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 entry unchanged, ignored (cn=ng115,ou=Netgroup,dc=suppressed,dc=suppressed,dc=suppressed) Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 be_search (0) Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 cn=ng116,ou=Netgroup,dc=suppressed,dc=suppressed,dc=suppressed Oct 29 11:54:28 lanark slapd[4187]: null_callback : error code 0x12 Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 be_modify (18) Oct 29 11:54:28 lanark slapd[4187]: syncrepl_entry: rid=001 be_modify failed (18) Oct 29 11:54:28 lanark slapd[4187]: do_syncrepl: rid=001 retrying
Error code 0x12 is LDAP_INAPPROPRIATE_MATCHING, which indicates that syncrepl tried to do a delete/add on a multivalued attribute witohout an equality matching rule. Reason being, the schema for nis defines nisNetgroupTriple without an EQUALITY. You can argue between openldap and sun if that is an error in the schema, but fact is syncrepl should not fail in this or similar cases. Proper behavior would be if there is no equality, syncrepl should fall back to a replace.
many thanks to hyc on freenode #openldap for helping me to understand what was going on here.
http://www.archivesat.com/OpenLDAP_bugs/thread1581049.htm indicates nisNetgroupTriple is improperly defined according to SUN, but is really an aside on this bug.