Based on the documentation, my understanding was that the memberof overlay maintained the memberOf attribute locally, and this attribute was not replicated? While I was recently working on implementing the memberof overlay, I noticed that after I had enabled it on one server, before enabling it on another, the memberOf attribute seemed to be replicated from the server on which the overlay was enabled to the one on which it was not:
Oct 7 18:30:18 filmore slapd[28994]: UNKNOWN attributeDescription "MEMBEROF" inserted. Oct 7 18:30:18 fosse slapd[3047]: UNKNOWN attributeDescription "MEMBEROF" inserted. Oct 10 16:23:08 pip-dev slapd[7030]: slapd starting Oct 10 16:23:08 pip-dev slapd[7030]: UNKNOWN attributeDescription "MEMBEROF" inserted.
This seems contrary to the documentation and I found it confusing. Am I missing something?
Thanks.
--On Friday, October 11, 2013 1:07 PM -0700 "Paul B. Henson" henson@acm.org wrote:
This seems contrary to the documentation and I found it confusing. Am I missing something?
The memberof overlay should be loaded on all servers. Also see the ITS I just referenced to you...
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Friday, October 11, 2013 1:49 PM
This seems contrary to the documentation and I found it confusing. Am I missing something?
The memberof overlay should be loaded on all servers. Also see the ITS I just referenced to you...
In the ticket, there is some discussion of whether or not memberOf should be a "DSA-specific attribute" and hence not replicated; the discussion was not resolved, but I would vote for yes. The slapo-memberof man page says:
"The maintenance operations it performs are internal to the server on which the overlay is configured and are never replicated. Replica servers should be configured with their own instances of the memberOf overlay if it is desired to maintain these memberOf attributes on the replicas."
Considering memberOf is not part of any standard schema, and only valid if the memberof overlay is loaded, it seems would make sense for it not to be replicated to remote servers that might not know what to do with it. If for some reason that won't be done, then ideally at least the documentation could be updated to make it clear that the attribute *is* replicated, and that all of the servers should be reconfigured to include the overlay before any group membership is updated to prevent an invalid attribute from showing up...
Thanks.
openldap-technical@openldap.org
-
Paul B. Henson -
Quanah Gibson-Mount