I am not sure if this is by design or a bug so I am posting here first.
I have a provider-consumer configuration (both at version 2.4.40) where the consumer uses simple syncrepl (no delta sync). I am using the memberof overlay in the provider, and, having read the slapo-memberof manpage and ITS#7400, I made sure to exclude "memberof" from the synced attributes, and configured the memberof overlay in the consumer too. When I add or remove a user from a group, the user entry is correctly updated in both provider and consumer with the addition or removal of the corresponding "memberof" value.
The problem occurs when a user entry is modified in any way, e.g. by changing a password, adding a description, etc. From what I understand, when a change occurs in an entry, non-delta syncrepl causes the entire entry to be resynced, not just the modified attributes. The result is that the "memberof" attributes of this entry on the consumer are removed.
Is this the intended behavior? Shouldn't the "memberOf" values be restored after the entry is updated, since no group membership was modified?
John Alex. wrote:
I have a provider-consumer configuration (both at version 2.4.40) where the consumer uses simple syncrepl (no delta sync). I am using the memberof overlay in the provider, and, having read the slapo-memberof manpage and ITS#7400, I made sure to exclude "memberof" from the synced attributes,
Explicitly excluding "memberof" should not be necessary with 2.4.40.
The problem occurs when a user entry is modified in any way, e.g. by changing a password, adding a description, etc. From what I understand, when a change occurs in an entry, non-delta syncrepl causes the entire entry to be resynced, not just the modified attributes. The result is that the "memberof" attributes of this entry on the consumer are removed.
Is this the intended behavior?
No, this is not intended. But note that you have to run slapo-memberof on each replica since "memberof" attribute is maintained locally.
Without seeing you config it's impossible to say more.
Ciao, Michael.
Hi Michael,
Like I wrote in my previous email, I have configured the memberof overlay in the consumer too and it *does* work when adding/removing members from groups. But when an entry that contains "memberOf" values is modified, these values are deleted in the consumer.
The configuration of the consumer db is nothing special but here it is anyway:
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/db/openldap-data/testing olcSuffix: dc=example,dc=com olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * break olcAccess: {1}to attrs=userPassword by anonymous auth olcAccess: {2}to dn.base="dc=example,dc=com" by * read olcRootDN: cn=admin,dc=example,dc=com olcDbIndex: objectClass eq olcDbMaxSize: 209715200 olcSyncrepl: {0}rid=010 provider="ldaps://ldap.example.com" searchbase="dc=e xample,dc=com" type=refreshAndPersist retry="5 12 30 10 300 +" schemachecki ng=on bindmethod=simple binddn="cn=ldaptest,ou=admins,dc=example,dc=com" cr edentials=******* exattrs=memberOf tls_cacert="/etc/certs/ca.pem"
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}memberof
On 05/18/2015 01:45 PM, Michael Ströder wrote:
John Alex. wrote:
I have a provider-consumer configuration (both at version 2.4.40) where the consumer uses simple syncrepl (no delta sync). I am using the memberof overlay in the provider, and, having read the slapo-memberof manpage and ITS#7400, I made sure to exclude "memberof" from the synced attributes,
Explicitly excluding "memberof" should not be necessary with 2.4.40.
The problem occurs when a user entry is modified in any way, e.g. by changing a password, adding a description, etc. From what I understand, when a change occurs in an entry, non-delta syncrepl causes the entire entry to be resynced, not just the modified attributes. The result is that the "memberof" attributes of this entry on the consumer are removed.
Is this the intended behavior?
No, this is not intended. But note that you have to run slapo-memberof on each replica since "memberof" attribute is maintained locally.
Without seeing you config it's impossible to say more.
Ciao, Michael.
John Alex. wrote:
Like I wrote in my previous email, I have configured the memberof overlay in the consumer too and it *does* work when adding/removing members from groups. But when an entry that contains "memberOf" values is modified, these values are deleted in the consumer.
Something like this works for me.
Could you please try to leave out exattrs=memberOf? It might have another unexpected side effect.
Ciao, Michael.
Indeed, I removed "memberOf" from "exattrs" and I can no longer reproduce the issue. I will file an ITS on this.
When was the issue with "memberOf" replication fixed? ITS#7400 is still open.
On 05/18/2015 02:54 PM, Michael Ströder wrote:
John Alex. wrote:
Like I wrote in my previous email, I have configured the memberof overlay in the consumer too and it *does* work when adding/removing members from groups. But when an entry that contains "memberOf" values is modified, these values are deleted in the consumer.
Something like this works for me.
Could you please try to leave out exattrs=memberOf? It might have another unexpected side effect.
Ciao, Michael.
openldap-technical@openldap.org
-
John Alex. -
Michael Ströder