On 12/18/19 6:09 PM, Howard Chu wrote: > Howard Chu wrote: >> Quanah Gibson-Mount wrote: >>> It would be great along with all of this to finally fix memberOf >>> so it's actually functional (and replication safe) (I.e., can >>> maintain membership regardless of user/group creation order).>> >> That sounds like scope creep. Out of scope for the current discussion. >> > Just thinking about this a bit more - I don't really see any good solution > here. If > you want memberof to accept DNs of entries that don't exist, you can set > memberof-dangling > to ignore. And then it'll accumulate DNs of nonexistent entries... > > If you want it to maintain an accurate list of only existing entry DNs, then > you > have to check for existence at the time of updating the memberof attribute. > > Another option is to let it update lazily only during a refresh, and then run > a cleanup job when the refresh completes. Not sure how we would rig things up > for refreshDone to trigger other modules.
My feeling always was that 'memberOf' should simply be replicated like other operational attributes (modifiersName, pwdChangedTime etc.). Ondrej and me had a longer discussion about this at LDAPcon pre-conference dinner. He was not sure whether my proposal could work. So the big question is: Why is 'memberOf' not replicated? Next question is: Can slapo-memberof detect whether a write operation comes from replication and simply ignore that? Ciao, Michael.