Question: What is happening that I can turn a multimaster replica into a
"shadow context"?
(I'm more or less fine with the behaviour since I don't mind stopping the
multimaster slapd's to do a password change, but I'm concerned that I may have
missed some underlying problem in my setup.)
I've found that issuing a particular set of changes to one or both cn=config
multimaster replicas means that I cannot issue any more changes to cn=config
until I restart slapd.
The ldif I paste into my ldapmodify session is this (changed the hostname and
credentials from the real ones):
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl: {0}rid=1 provider=ldap://ldap-supplier-lab-01.company.com
binddn="cn=config" bindmethod=simple credentials=newpw searchbase="cn=config"
type=refreshAndPersist retry="5 5 30 +" timeout=5
olcSyncrepl: {1}rid=2 provider=ldap://ldap-supplier-lab-02.company.com
binddn="cn=config" bindmethod=simple credentials=newpw searchbase="cn=config"
type=refreshAndPersist retry="5 5 30 +" timeout=5
-
replace: olcRootPW
olcRootPW: newpw
I get this output:
modifying entry "olcDatabase={0}config,cn=config"
Then I observe the following behaviour:
I can ldapsearch with the new password and get the expected result (ldif output
of the cn=config database).
When I ldapmodify with the new password I get this output:
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: shadow context; no update referral
After I restart slapd I get the expected behaviours with both ldapsearch (get
ldif output) and ldapmodify (can change cn=config).
Further, I've diffed the ldif output of directories before and after this
change, and I do not see any difference apart from the attributes that I've
changed.
