Question: What is happening that I can turn a multimaster replica into a "shadow context"?
(I'm more or less fine with the behaviour since I don't mind stopping the multimaster slapd's to do a password change, but I'm concerned that I may have missed some underlying problem in my setup.)
I've found that issuing a particular set of changes to one or both cn=config multimaster replicas means that I cannot issue any more changes to cn=config until I restart slapd.
The ldif I paste into my ldapmodify session is this (changed the hostname and credentials from the real ones):
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: {0}rid=1 provider=ldap://ldap-supplier-lab-01.company.com binddn="cn=config" bindmethod=simple credentials=newpw searchbase="cn=config" type=refreshAndPersist retry="5 5 30 +" timeout=5 olcSyncrepl: {1}rid=2 provider=ldap://ldap-supplier-lab-02.company.com binddn="cn=config" bindmethod=simple credentials=newpw searchbase="cn=config" type=refreshAndPersist retry="5 5 30 +" timeout=5 - replace: olcRootPW olcRootPW: newpw
I get this output:
modifying entry "olcDatabase={0}config,cn=config"
Then I observe the following behaviour:
I can ldapsearch with the new password and get the expected result (ldif output of the cn=config database).
When I ldapmodify with the new password I get this output:
modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
After I restart slapd I get the expected behaviours with both ldapsearch (get ldif output) and ldapmodify (can change cn=config).
Further, I've diffed the ldif output of directories before and after this change, and I do not see any difference apart from the attributes that I've changed.