On Thu, 07 May 2015, Christoph Kaminski wrote:
I am curious however. I have been running OpenLDAP configs with 20 or
more servers in replication for over 5 years. In all that time, I think
I have had replication issues 5 times.  In the 6 months of working with
FreeIPA, replication issues are constant. From reading the threads, I am

not the only one in this predicament. Is there any history on why
replication is so problematic in FreeIPA?

same here... OpenLDAP no problems, since we use IPA we have ever
replikation issues

I think the replikation design is the problem. All IPA's are master. I
think it would be more stable if there would be 1 Master and all replicas
are read only.
Replicas cannot be read only right now because this would mean Kerberos
would be broken as every issued ticket means modification of the
principal's LDAP entry to record account-related information for the
successful and unsuccessful authentication. This is important to
synchronize with other replicas because it also reflects lockout of

You haven't experienced it with OpenLDAP-based LDAP clusters
because most likely you did simply not use them to handle tasks like
this, considering you were running read-only replicas.

It is possible to run OpenLDAP in multi-master read-write setup as KDC
backends, but you would need to use a different replication mechanism
(delta-syncrepl). Delta-synchrepl would be similar to what 389-ds uses
for replication and there are some related issues with it too, not
really too different from what 389-ds experiences.

However, I must add that to fix possible issues in 389-ds replication it
is not enough to say 'we are experiencing issues in VM'. Please provide
logs and detail of your configuration. It may well be that time drifts
in VM cause more harm than actual replication protocol itself.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to