On 12/18/19 6:09 PM, Howard Chu wrote:
> Howard Chu wrote:
>> Quanah Gibson-Mount wrote:
>>> It would be great along with all of this to finally fix memberOf
>>> so it's actually functional (and replication safe) (I.e., can
>>> maintain membership regardless of user/group creation order).>>
>> That sounds like scope creep. Out of scope for the current discussion.
>>
> Just thinking about this a bit more - I don't really see any good solution 
> here. If
> you want memberof to accept DNs of entries that don't exist, you can set 
> memberof-dangling
> to ignore. And then it'll accumulate DNs of nonexistent entries...
> 
> If you want it to maintain an accurate list of only existing entry DNs, then 
> you
> have to check for existence at the time of updating the memberof attribute.
> 
> Another option is to let it update lazily only during a refresh, and then run
> a cleanup job when the refresh completes. Not sure how we would rig things up
> for refreshDone to trigger other modules.

My feeling always was that 'memberOf' should simply be replicated like
other operational attributes (modifiersName, pwdChangedTime etc.).

Ondrej and me had a longer discussion about this at LDAPcon
pre-conference dinner. He was not sure whether my proposal could work.

So the big question is:
Why is 'memberOf' not replicated?

Next question is:
Can slapo-memberof detect whether a write operation comes from
replication and simply ignore that?

Ciao, Michael.

Reply via email to