After doing more testing I have noticed that it is the 'Group member modify entryCSNs' that seem to get ignored by the Provider, but picked up by the Consumers. All other changes, adding or removing users seems to update the ContextCSN on the Provider correctly.
So a work around would be to make some kind of random change to an entry in my DIT ( after making changes to group membership), so that the Provider has the correct ContextCSN. A simple change like modifying the description field for a user would accomplish this. I would like to get to the bottom of this though, without such a work around.
Could this have anything to do with the memberOf overlay, which I am using?
On Sun, Mar 13, 2011 at 2:50 PM, Yuri Bank yuribank@gmail.com wrote:
I'm using the latest stable version: OpenLDAP 2.4.23 ( running on Ubuntu 10.10 )
I've also included the relevant configuration for my Provider and Consumer[s].
Consumer[s]
# {1}hdb, config dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=test,dc=com olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=test,dc=com" write by an onymous auth by self write by group.exact="cn=DCNAS,o=Groups,dc=test,dc=com" w rite by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by dn="cn=admin,dc=test,dc=com" write by group.exact="cn=DCN AS,o=Groups,dc=test,dc=com" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=test,dc=com olcRootPW: test olcSyncrepl: {0}rid=001 provider=ldap://10.81.255.30 bindmethod=simple binddn= "cn=admin,dc=test,dc=com" credentials=test searchbase="dc=test,dc=com" logba se="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshOnly retry="60 +" interval=00:00:00:30 syncdata =accesslog olcUpdateRef: ldap://10.81.255.30 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: uidNumber eq olcDbIndex: cn eq olcDbIndex: memberOf eq olcDbIndex: entryUUID eq
Provider:
# {1}hdb, config dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=test,dc=com olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=test,dc=com" write by an onymous auth by self write by group.exact="cn=DCNAS,o=Groups,dc=test,dc=com" w rite by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by dn="cn=admin,dc=test,dc=com" write by group.exact="cn=DCN AS,o=Groups,dc=test,dc=com" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=test,dc=com olcRootPW: test olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: uid eq olcDbIndex: uidNumber eq olcDbIndex: cn eq olcDbIndex: memberOf eq
# {1}syncprov, {1}hdb, config dn: olcOverlay={1}syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpNoPresent: TRUE
# {2}accesslog, {1}hdb, config dn: olcOverlay={2}accesslog,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {2}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 07+00:00 01+00:00 olcAccessLogSuccess: TRUE
# {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=test,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# {0}syncprov, {2}hdb, config dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE
-Yuri On Sun, Mar 13, 2011 at 11:47 AM, Quanah Gibson-Mount <quanah@zimbra.com
wrote:
--On Saturday, March 12, 2011 8:59 PM -0800 Yuri Bank yuribank@gmail.com wrote:
I've found an interesting issue with delta-sync replication in which the
The first thing you should always provide is the version of OpenLDAP you are using.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration