Thank you very much Quanah for your response!
Sort of. If you added the schema and then an object, the other masters should halt replication at that point until they have a matching schema.
That's interesting.
Not really, no. It does depend on the version of OpenLDAP in use, as there were some bugs in older OpenLDAP versions that would allow the object to partially replicate or the object to just get skipped, which could cause headache. But those issues were fixed.
So then best practice with tree sync is add the schema to all masters first, then an object. which would make sense.
I would say that by doing cn=config replication, you've added a wide surface area for new issues to occur. I generally view cn=config replication as more of a beta feature. There are still ongoing issues being resolved and fixed for it (For example, ITS#8616 in the most recent 2.4.47 release)
Hmm... so would you recommend removing the replication of cn=config for now? Individually adding the schema to each master is feasible for us.
Thank you again
-Dave
--On Wednesday, April 03, 2019 2:43 PM -0400 Dave Macias davama@gmail.com wrote:
Hmm... so would you recommend removing the replication of cn=config for now? Individually adding the schema to each master is feasible for us.
If it's not required then yes, I personally would not use it at this time. For example, ITS#8286, although it only discusses a single matching rule, ended up touching numerous files, and it's directly related to using cn=config and cn=config replication (https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=3add82a3bb30b94afd23ff5e2c00c59ca8a931d8).
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, April 03, 2019 1:43 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, April 03, 2019 2:43 PM -0400 Dave Macias davama@gmail.com wrote:
Hmm... so would you recommend removing the replication of cn=config for now? Individually adding the schema to each master is feasible for us.
If it's not required then yes, I personally would not use it at this time. For example, ITS#8286, although it only discusses a single matching rule, ended up touching numerous files, and it's directly related to using cn=config and cn=config replication (https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h =3add82a3bb30b94afd23ff5e2c00c59ca8a931d8).
To which I should add -- And is only being fixed for OpenLDAP 2.5 and later.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Dave Macias davama@gmail.com schrieb am 03.04.2019 um 19:43 in Nachricht
CA+nFYV8TMeL-mRKN4VUxuBXnpyDWHSO2BMFCGik8mm2CDEpX5A@mail.gmail.com:
Thank you very much Quanah for your response!
Sort of. If you added the schema and then an object, the other masters should halt replication at that point until they have a matching schema.
That's interesting.
Not really, no. It does depend on the version of OpenLDAP in use, as there were some bugs in older OpenLDAP versions that would allow the object to partially replicate or the object to just get skipped, which could cause headache. But those issues were fixed.
So then best practice with tree sync is add the schema to all masters first, then an object. which would make sense.
I would say that by doing cn=config replication, you've added a wide surface area for new issues to occur. I generally view cn=config replication as more of a beta feature. There are still ongoing issues being resolved and fixed for it (For example, ITS#8616 in the most recent 2.4.47 release)
Hmm... so would you recommend removing the replication of cn=config for now? Individually adding the schema to each master is feasible for us.
Actually we do have cn=config replication for more than five years now without any problem, but we change the config rarely. What's nice is that you'll have to create your indexe3s only once...
Regards, Ulrich Windl
Thank you again
-Dave
--On Thursday, April 04, 2019 9:01 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Actually we do have cn=config replication for more than five years now without any problem
Yes, in an environment in which you seldom make changes, and your changes are restricted to the directives that work, things will work fine. But as soon as you start touching directives where it doesn't work, then you hit problems.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Dave Macias -
Quanah Gibson-Mount -
Ulrich Windl