Hello.
I have some troubles setting syncrepl + back-ldap push based replication, as described on
http://www.openldap.org/doc/admin24/replication.html#LDAP Sync Replication
I'm using current stable openldap - the problem is, when I set up daemons (using the same slapcat output file) and modify e.g. "description" attribute on master side, back-ldap pushes out system attributes like entryCSN, creatorsName, etc, which causes modify operation to fail on final consumer side.
conn=1000 op=33 MOD attr=creatorsName createTimestamp description entryCSN conn=1000 op=33 RESULT tag=103 err=19 text=creatorsName: no user modification allowed
Is it some ACL-related matter, should I create some ACL, which denies to read of system attributes on master-side, to avoid replicating it with syncrepl to local back-ldap ?
In such push-based scenario ( in opposite to classic provider-consumer syncrepl), final consumer does not know actually that it is a replica, it's just receiving modify operation, how do I prevent read-only system attributes from being pushed from back-ldap to final replica?
Regards, DT
On Tue, 14 Sep 2010, DT Piotr Wadas wrote:
Hello.
I have some troubles setting syncrepl + back-ldap push based replication, as described on
http://www.openldap.org/doc/admin24/replication.html#LDAP Sync Replication
I'm using current stable openldap - the problem is, when I set up daemons (using the same slapcat output file) and modify e.g. "description" attribute on master side, back-ldap pushes out system attributes like entryCSN, creatorsName, etc, which causes modify operation to fail on final consumer side.
conn=1000 op=33 MOD attr=creatorsName createTimestamp description entryCSN conn=1000 op=33 RESULT tag=103 err=19 text=creatorsName: no user modification allowed
Is it some ACL-related matter, should I create some ACL, which denies to read of system attributes on master-side, to avoid replicating it with syncrepl to local back-ldap ?
In such push-based scenario ( in opposite to classic provider-consumer syncrepl), final consumer does not know actually that it is a replica, it's just receiving modify operation, how do I prevent read-only system attributes from being pushed from back-ldap to final replica?
Regards, DT
man slapd-ldap says:
Note: In early versions of back-ldap it was recommended to always set
lastmod off for ldap and meta databases. This was required because operational attributes related to entry creation and modification should not be proxied, as they could be mistakenly written to the target server(s), generating an error. The current implementation automatically sets lastmod to off, so its use is redundant and should be omitted.<<
Anyway, I'm using newest stable (2.3.23), and this behaviour seems to happen. Setting "lastmod off" does not work -
syncprov_db_open: invalid config, lastmod must be enabled
Regards, DT
--On Tuesday, September 14, 2010 8:02 PM +0200 DT Piotr Wadas pwadas@dtpw.pl wrote:
Anyway, I'm using newest stable (2.3.23), and this behaviour seems to happen. Setting "lastmod off" does not work -
syncprov_db_open: invalid config, lastmod must be enabled
Hm, I've never set up push based sycnrepl, but the operational attributes are required to be replicated for sync replication to work right. If your configuration matches the documentation, this sounds like a bug to me.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
DT Piotr Wadas -
Quanah Gibson-Mount