JR Aquino wrote:
On Feb 22, 2012, at 11:26 AM, Rob Crittenden wrote:

We include memberof when doing a total sync so there is no need to re-run the 
memberOf task in ipa-replica-manage re-initialize unless the agreement doesn't 
set nsDS5ReplicatedAttributeListTotal.

rob
<freeipa-rcrit-957-memberof.patch>_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

NACK

:/

When using this patch, it seems to provide the replica with 
nsDS5ReplicatedAttributeList but omits the nsDS5ReplicatedAttributeListTotal 
which causes / triggers the memberof.  The current 2.1.4 has the opposite 
problem... It HAS nsDS5ReplicatedAttributeListTotal but does not have 
nsDS5ReplicatedAttributeList... So when it adds all the memberof data, the 
replica replicates all that info back to the master and anyone else in the 
replica party.

-JR

2.1.4 doesn't set nsDS5ReplicatedAttributeListTotal.

This patch doesn't add anything, it just doesn't run the memberof task if nsDS5ReplicatedAttributeListTotal is defined. Since you don't have this attribute set then that's why it isn't working.

To test in 2.1.4 after the agreement is set up you can add this with something like this (untested, YMMV):

# ldapmodify -x -D 'cn=directory manager' -W
dn: cn=meTomaster.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
add: nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount

So the steps would be:

1. Install master
2. Install replica
3. Update agreement as above (if needed)
4. Make sure patch is applied
5. ipa-replica-manage re-initialize replica.example.com

You should not see a memberof storm.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to