Am Mon, 24 Feb 2014 22:08:30 -0300
schrieb Italo Valcy <italovalcy(a)gmail.com>:
I`m trying to setup replication from OpenLDAP to Fedora 389 DS. It
used to work by running slurpd in a push mode initiated by the
provider. With OL 2.4 this seems to be replaced by syncrepl proxy
mode , which works by defining a LDAP backend that will write
updates on the consumer from data received from syncrepl engine
(provider), acting as a proxy (examples in ).
This is not working in case of sincronization from OL to 389 DS,
because operational attributes (entryCSN, structuralObjectClass,
entryUUID, etc.) is not accepted in 389 DS, giving the following
error in 389 DS:
[22/Feb/2014:18:17:25 -0300] - Entry
"uid=XXX,dc=sub,dc=example,dc=com" -- attribute "entrycsn" not
I've tried to filter those operational attributes on synrepl, by using
"exattrs='structuralObjectClass,entryUUID,entryCSN'" but it didnt
help. Another approach (the right one, see bellow) would be disable
"lastmod", but then syncprov overlay complains and don't starts
(lastmod TRUE is required by syncprov).
From LDAP backend man pages, it already gives a feeling that when
proxying, then lastmod should be OFF (and this is the default
"Note: In early versions of back-ldap it was recommended to always set
'lastmod off' for ldap and meta databases. This was required
because operational attributes related to entry creation and
modification should not be proxied, as they could be mistakenly
written to the target server(s), generating an error."
So, is there any way to don't export the operational attributes from
OL in the above scenario?
RFC 3673 describes an 'All Operational Attributes' mechanism, which is
defined as '+', while an '*' defines all user attributes.
man slapd-config(5) comments in the olcSyncrepl part on default value
'attrs=*,+'. Just define attrs=*
Dieter Klünter | Systemberatung
GPG Key ID: E9ED159B