On 12/18/19 6:09 PM, Howard Chu wrote:
Howard Chu wrote:
Quanah Gibson-Mount wrote:
It would be great along with all of this to finally fix memberOf so it's actually functional (and replication safe) (I.e., can maintain membership regardless of user/group creation order).>>
That sounds like scope creep. Out of scope for the current discussion.
Just thinking about this a bit more - I don't really see any good solution here. If you want memberof to accept DNs of entries that don't exist, you can set memberof-dangling to ignore. And then it'll accumulate DNs of nonexistent entries...
If you want it to maintain an accurate list of only existing entry DNs, then you have to check for existence at the time of updating the memberof attribute.
Another option is to let it update lazily only during a refresh, and then run a cleanup job when the refresh completes. Not sure how we would rig things up for refreshDone to trigger other modules.
My feeling always was that 'memberOf' should simply be replicated like other operational attributes (modifiersName, pwdChangedTime etc.).
Ondrej and me had a longer discussion about this at LDAPcon pre-conference dinner. He was not sure whether my proposal could work.
So the big question is: Why is 'memberOf' not replicated?
Next question is: Can slapo-memberof detect whether a write operation comes from replication and simply ignore that?
Ciao, Michael.