emmanuel.duru@atosorigin.com wrote:

Full_Name: Emmanuel Duru Version: 2.3.39 OS: Windows URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.68.44.148)

I'm trying to set a directory architecture with a syncrepl push based replication, as (partly) stated in the admin guide, chapter 16.1.1. I have a provider slapd with bdb, an intermediate slapd with back-ldap, which points to a consumer slapd with bdb. First, I have to set an updateDN on the consumer slapd, else back-ldap gets a "no user modification allowed" error on operational attributes (structuralobjectclass, contextcsn) when it tries to update the consumer slapd

That is expected.

(the admin guide says the opposite).

I guess the Admin Guide has a bug then. What exact section are you referring to?

Then this does not work at all when modifying an entry, because back-ldap gets a "modify/delete: hasSubordinates: no such attribute" error when it tries to update the entry.

That's also expected, since hasSubordinates is a dynamically generated operational attribute (and also read-only, as I recall). You need to exclude any dynamically generated operational attributes from the syncrepl search. E.g. 2.4's test045 specifically tests this scenario, and the syncrepl spec uses: syncrepl rid=1 provider=ldap://localhost:9011/ binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" filter="(objectClass=*)"

attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp" schemachecking=off scope=sub type=refreshAndPersist retry="5 5 300 5"

In general, while this is known to work in 2.3, you're better off using 2.4. (We intentionally did not include test045 in 2.3...)