On 9/9/19 4:06 PM, Norman Gray wrote:
The slapo-memberof(5) manpage mentions limitations on when it can be used, in the context of replication. The current text is very confusing, and possibly not self-consistent. [..] The text currently says:
The memberof overlay may be used with any backend that provides full read-write functionality, [..]
Fine -- that seems to me to say very clearly that the memberof attribute is OK to use across replicas, as long as each replica has its own memberof overlay.
Yes.
However, immediately after that, the text says:
Note that slapo-memberOf is not compatible with syncrepl based replication, and should not be used in a replicated environment. An alternative is to use slapo-dynlist to emulate slapo-memberOf behavior.
This seems to flatly contradict (my understanding of) the first part of the paragraph.
The problem is that in syncrepl refresh phase entries can be replicated in any order. So if a group entry comes in before the member entries are present you will see some warnings in the log and the entries may not be consistent.
See ITS#8613 for details:
https://www.openldap.org/its/index.cgi/?findid=8613
Ciao, Michael.
P.S.: Personally I can't see a good reason why memberOf attribute is not replicated just like any other operational attribute.