Hi,
On Sun, 25 May 2014, Michael Ströder wrote:
'pwdFailureTime' gets replicated?
ist does if you configure ppolicy_forward_updates (olcPPolicyForwardUpdates):
Yupp, chaining.
This is asking for trouble anyway as you already noticed yourself.
yes this was for chaining. And I was bitten by some really digusting issues.
Nevertheless I do see the metadata from slapo-ppolicy getting replicated between masters in my current setup. I just checked and have forward_updates turned off.
Following is from ppolicy.c and we should go intot the else block where dont_replicate is only set for SLAP_SINGLE_SHADOW:
1148 /* If this server is a shadow and forward_updates is true, 1149 * use the frontend to perform this modify. That will trigger 1150 * the update referral, which can then be forwarded by the 1151 * chain overlay. Obviously the updateref and chain overlay 1152 * must be configured appropriately for this to be useful. 1153 */ 1154 if ( SLAP_SHADOW( op->o_bd ) && pi->forward_updates ) { 1155 op2.o_bd = frontendDB; 1156 1157 /* Must use Relax control since these are no-user-mod */ 1158 op2.o_relax = SLAP_CONTROL_CRITICAL; 1159 op2.o_ctrls = ca; 1160 ca[0] = &c; 1161 ca[1] = NULL; 1162 BER_BVZERO( &c.ldctl_value ); 1163 c.ldctl_iscritical = 1; 1164 c.ldctl_oid = LDAP_CONTROL_RELAX; 1165 } else { 1166 /* If not forwarding, don't update opattrs and don't replicate */ 1167 if ( SLAP_SINGLE_SHADOW( op->o_bd )) { 1168 op2.orm_no_opattrs = 1; 1169 op2.o_dont_replicate = 1; 1170 } 1171 op2.o_bd->bd_info = (BackendInfo *)on->on_info; 1172 }
This seems to translate into ppolicy changes being replicated between masters which is something I rely on in the current design. I am still not 100% sure on the rationale of the SLAP_SINGLE_SHADOW() check in the else path but it obviously does what I need.
Mileage may of course vary because of scaling issues and replicating timestamps with microsend resolution does not make sense in this use case.
I leveraged above code in my patch for getting authTimestamp replicated between masters in ITS#7721.
I had done the patch with chaining in mind but now also use it with plain multimaster replication without any chaining.
Greetings Christian