After doing more testing I have noticed that it is the 'Group member modify entryCSNs' that seem to get ignored by the Provider, but picked up by the Consumers. All other changes, adding or removing users seems to update the ContextCSN on the Provider correctly.
 
So a work around would be to make some kind of random change to an entry in my DIT ( after making changes to group membership), so that the Provider has the correct ContextCSN. A simple change like modifying the description field for a user would accomplish this. I would like to get to the bottom of this though, without such a work around.
 
Could this have anything to do with the memberOf overlay, which I am using?

On Sun, Mar 13, 2011 at 2:50 PM, Yuri Bank <yuribank@gmail.com> wrote:
I'm using the latest stable version: OpenLDAP 2.4.23 ( running on Ubuntu 10.10 )
 
 
I've also included the relevant configuration for my Provider and Consumer[s].
 
 
Consumer[s]
 
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=test,dc=com" write by an
 onymous auth by self write by group.exact="cn=DCNAS,o=Groups,dc=test,dc=com" w
 rite by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=admin,dc=test,dc=com" write by group.exact="cn=DCN
 AS,o=Groups,dc=test,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=test,dc=com
olcRootPW: test
olcSyncrepl: {0}rid=001 provider=ldap://10.81.255.30 bindmethod=simple binddn=
 "cn=admin,dc=test,dc=com" credentials=test searchbase="dc=test,dc=com" logba
 se="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
 schemachecking=on type=refreshOnly retry="60 +" interval=00:00:00:30 syncdata
 =accesslog
olcUpdateRef: ldap://10.81.255.30
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: cn eq
olcDbIndex: memberOf eq
olcDbIndex: entryUUID eq

Provider:
 
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=test,dc=com" write by an
 onymous auth by self write by group.exact="cn=DCNAS,o=Groups,dc=test,dc=com" w
 rite by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=admin,dc=test,dc=com" write by group.exact="cn=DCN
 AS,o=Groups,dc=test,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=test,dc=com
olcRootPW: test
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: cn eq
olcDbIndex: memberOf eq
 
# {1}syncprov, {1}hdb, config
dn: olcOverlay={1}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
olcSpNoPresent: TRUE
 
# {2}accesslog, {1}hdb, config
dn: olcOverlay={2}accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {2}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 07+00:00 01+00:00
olcAccessLogSuccess: TRUE
 
 
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=test,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
 
# {0}syncprov, {2}hdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
 
 
 
-Yuri
On Sun, Mar 13, 2011 at 11:47 AM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
--On Saturday, March 12, 2011 8:59 PM -0800 Yuri Bank <yuribank@gmail.com> wrote:


I've found an interesting issue with delta-sync replication in which the


The first thing you should always provide is the version of OpenLDAP you are using.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration