On Wed, 14 Oct 2009, masarati@aero.polimi.it wrote:

Should be fixed in HEAD (one-line fix, see overlays/memberof.c 1.25 -> 1.26).

Please test. Thanks, p.

Thanks - I applied this to openldap 2.4.19 and the entryCSNs now match on all nodes, as long as they're all up when a group is modified.

I still get something strange if one node is down: if I remove a user from a group on the working node, then bring the failed node back, the failed node doesn't sync the modified group and user objects. For example, if I remove testuser3 from testgroup2 while node 2 is down, then bring node 2 back, I get this on node 1:

dn: uid=testuser3,ou=people,dc=dom memberOf: cn=testgroup1,ou=group,dc=dom entryCSN: 20091015040419.455869Z#000000#001#000000

dn: cn=testgroup2,ou=group,dc=dom member: uid=testuser2,ou=people,dc=dom entryCSN: 20091015040419.455869Z#000000#001#000000

And this on node 2:

dn: uid=testuser3,ou=people,dc=dom memberOf: cn=testgroup2,ou=group,dc=dom memberOf: cn=testgroup1,ou=group,dc=dom entryCSN: 20091015033445.046089Z#000000#002#000000

dn: cn=testgroup2,ou=group,dc=dom member: uid=testuser2,ou=people,dc=dom member: uid=testuser3,ou=people,dc=dom entryCSN: 20091015033233.354687Z#000000#001#000000

I don't have this problem with changes that don't involve member/memberOf attributes. For example, I can add a description attr to the group object while node 2 is down, and when I bring it back up, it picks up the change.

On both nodes I've got the memberof and syncprov overlays turned on, in that order.

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}memberof

dn: olcOverlay={1}syncprov,olcDatabase={1}hdb,cn=config objectClass: olcSyncProvConfig olcSpCheckpoint: 100 10 olcSpSessionlog: 1000 olcOverlay: {1}syncprov

Thanks,

Mike