On Tue, Jun 10, 2025 at 10:53:07AM +0000, Windl, Ulrich wrote: >> Hi Ulrich, >> as documented, refint-initiated operations are not meant to be >> replicated, you are supposed to configure refint on each replica. That >> includes they cannot be logged in accesslog either. > > Well, I think they *could* be recorded there, causing some redundancy > on the consumer if it also uses refint. What will "plain old LDAP > sync" see from the provider then?
Hi Ulrich, they will not see "fallout" notifications at all, again because they are supposed to process them internally. Note that refint is inherently race-prone already (identifying what updates are needed and running them is done in a separate task *after* the modification is done). And no, they cannot be recorded in the accesslog, again because they are marked internal. > The requirement that all consumers need to use refint as well seems to > break LDAP sync IMHO. Due to LDAP semantics, any operations that affect more than one entry have the potential to break syncrepl, especially when more than 1 server accepts new modifications. Things like refint are only "safe" if there is only one such server at any point. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
