Dave Steiner email@example.com schrieb am 07.09.2018 um 21:10 in Nachricht
On 9/7/2018 12:59 PM, Quanah Gibson-Mount wrote:
--On Thursday, September 06, 2018 5:43 PM -0400 Dave Steiner firstname.lastname@example.org wrote:
Ok, bad example... Here's another example that's rather different:
$ searchn -H ldap://ldapmaster.rutgers.edu uid=XXXX mail createTimestamp modifyTimestamp entryCSN dn: uid=XXXX,ou=People,dc=rutgers,dc=edu createTimestamp: 20180504140010Z mail: email@example.com entryCSN: 20180831205041.549496Z#000000#001#000000 modifyTimestamp: 20180831205041Z
$ searchn -H ldap://ldapconsumer1.rutgers.edu uid=XXXX mail createTimestamp modifyTimestamp entryCSN dn: uid=XXXX,ou=People,dc=rutgers,dc=edu createTimestamp: 20180504140010Z mail: firstname.lastname@example.org entryCSN: 20180831205041.549496Z#000000#001#000000 modifyTimestamp: 20180831205041Z
That's certainly a more interesting case. Do you know when the discrepancy arose? Clearly the entry was modified on 8/31, but you'd have to parse the accesslog to see what the actual change was that was made to the entry. Generally to track down replication related issues, there are a number of various bits that need to be examined in the logs (provider and consumer) along with the data in the accesslog. One would also need to have knowledge
on the version of OpenLDAP that's in use since it may be subject to bugs
could cause such issues (ITS#8444 for example, fixed in 2.4.46).
Warm regards, Quanah
We are running 2.4.44 so there maybe something fixed between that and the latest version....
So I've look at the ldap_audit.log and this person initially set their mail attribute at 20180813215911Z and then changed it to a more readable version at 20180813220044Z. This makes sense given our account activation flow for new
students. So it seems that the second change didn't get out to the particular consumer. Unfortunately this is long enough ago that it won't be in the accesslog or in the ldap_access.log files on the consumers. I'll see if I can find a more recent case.
What comes to my mind is this: For the email example the CSN does not necessarily refect the cange of the emmail attribute, especially if you are using password policy. Maybe the incorrect sync happened in the past with a buggy version of OpenLDAP?
I checked all 13 of our consumers and while the modifyTimestamp and entryCSN are all consistent with the master(s), the mail attribute was not updated on 3 of the consumers. It's correct on the other 10.
Thanks for all your help, ds