--On Tuesday, August 4, 2020 9:47 AM +0000 Jonathan Steel jss92@cam.ac.uk wrote:
This says it is adding "cn=mygroup", and there is a constraint violation of some sort. You'd need to provide significantly more detail about your setup as you seem to have some set of overlays in use that you haven't disclosed.
This uses the memberOf overlay.
The entry it is having an issue adding is this one. I believe it is because those users do not yet exist, because syncrepl decides to try and sync this entry before the users.
What is the exact configuration of your memberOf overlay? It would appear, for example, that it's doing referential integrity or similar.
The slapo-memberof(5) man page explicitly contains the following:
"Note that slapo-memberOf is not compatible with syncrepl based replication, and should not be used in a replicated environment."
The reason that note is there is due in part to what you're experiencing now -- If the group is replicated before the users exist those users will not have the memberOf attribute added when using a default memberOf configuration.
Your scenario seems to trigger additional problematic behavior which is why I'm asking for the exact configuration. It could be useful in the future for testing.
There's been significant work for OpenLDAP 2.5 to allow slapo-dynlist to be an alternative to slapo-memberOf in a replicated environment as it does not suffer from the replication related issues.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com