Forgot this info:
OpenLDAP 2.4.39 with back-mdb
syncrepl: refreshAndPersist with keepalive set, authc with SASL/EXTERNAL based on TLS client certs
On Fri, 15 Aug 2014 12:21:30 +0200 "Michael Ströder" michael@stroeder.com wrote
HI!
I have a replication topology with providers running with MMR and a layer of r/o consumers..
- spread across three data centers
- in two different countries (DE and foreign country)
Network traffic between the countries has higher latency so consumers are only accessing providers within the same country. Write operations go nearly 100% to a single provider in Germany.
All systems are using these overlays:
- slapo-ppolicy (mostly for password expiry)
- slapo-lastbind overlays
- slapo-accesslog (yes, also on consumers)
Now occasionally contextCSN values differ most times for a couple of minutes on the consumers in the foreign country from their local providers.
I cannot tell exactly which conditions are causing this. But I observed that most times there was a login failure on the provider in Germany which results in 'pwdChangedTime' being set and replicated to the consumers. Most times followed by 'authTimestamp' being correctly set.
So I wonder whether the differences of the contextCSN values could be caused by 'pwdChangedTime' and 'authTimestamp' being replicated to providers but not to consumers.
Any clue? Thanks in advance.
Ciao, Michael.