On Tue, Jun 10, 2025 at 10:53:07AM +0000, Windl, Ulrich wrote:
Hi Ulrich, as documented, refint-initiated operations are not meant to be replicated, you are supposed to configure refint on each replica. That includes they cannot be logged in accesslog either.
Well, I think they *could* be recorded there, causing some redundancy on the consumer if it also uses refint. What will "plain old LDAP sync" see from the provider then?
Hi Ulrich, they will not see "fallout" notifications at all, again because they are supposed to process them internally. Note that refint is inherently race-prone already (identifying what updates are needed and running them is done in a separate task *after* the modification is done).
And no, they cannot be recorded in the accesslog, again because they are marked internal.
The requirement that all consumers need to use refint as well seems to break LDAP sync IMHO.
Due to LDAP semantics, any operations that affect more than one entry have the potential to break syncrepl, especially when more than 1 server accepts new modifications. Things like refint are only "safe" if there is only one such server at any point.
Regards,