Subtree replication: when removing object outside of subtree, contextCSN is not updating!

Fri, 22 Jun 2012 00:08:56 -0700 

Hi.
I have replication setup, when i replicate not entire tree, but only part of it. 
Configuration provider and consumer attached.
I use openldap-server-2.4.31 and db47-4.7.25.4

While adding object outside of the replicated subtree:
e.g. ou=TestBranch1,dc=example,dc=com
contextCSN of dn dc=example,dc=com on consumer  server updated, ok.
But while removing object, contextCSN not updated!
Is it expected behavior or not?

At first I added object *ou=hosts,ou=TestBranch2,dc=example,dc=com*.1
After I removed object.

Provider log:
Jun 22 06:37:53 ro1 slapd[62268]: conn=1002 op=52 SRCH base="ou=hosts,ou=TestBranch2,dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)" Jun 22 06:37:53 ro1 slapd[62268]: conn=1002 op=52 SRCH attr=hasSubordinates objectClass Jun 22 06:37:53 ro1 slapd[62268]: conn=1002 op=52 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=53 ADD dn="ou=hosts,ou=TestBranch2,dc=example,dc=com" Jun 22 06:37:54 ro1 slapd[62268]: slap_queue_csn: queing 0x7ffffe3fb100 20120622063754.599740Z#000000#000#000000 
Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=53 RESULT tag=105 err=0 text=
Jun 22 06:37:54 ro1 slapd[62268]: slap_graduate_commit_csn: removing 0x80191bfd0 20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=54 SRCH base="ou=hosts,ou=TestBranch2,dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)" Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=54 SRCH attr=hasSubordinates objectClass Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=54 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 22 06:38:01 ro1 slapd[62268]: conn=1002 op=55 DEL dn="ou=hosts,ou=TestBranch2,dc=example,dc=com" Jun 22 06:38:01 ro1 slapd[62268]: slap_queue_csn: queing 0x7ffffebfc590 20120622063801.799710Z#000000#000#000000 
Jun 22 06:38:01 ro1 slapd[62268]: conn=1002 op=55 RESULT tag=107 err=0 text=
Jun 22 06:38:01 ro1 slapd[62268]: slap_graduate_commit_csn: removing 0x802738970 20120622063801.799710Z#000000#000#000000 Jun 22 06:38:02 ro1 slapd[62268]: conn=1002 op=56 SRCH base="ou=TestBranch2,dc=example,dc=com" scope=1 deref=3 filter="(objectClass=*)" Jun 22 06:38:02 ro1 slapd[62268]: conn=1002 op=56 SRCH attr=hasSubordinates objectClass Jun 22 06:38:02 ro1 slapd[62268]: conn=1002 op=56 SEARCH RESULT tag=101 err=0 nentries=2 text= 


Consumer log:
Jun 22 06:37:54 ro2 slapd[62298]: do_syncrep2: rid=111 LDAP_RES_INTERMEDIATE - NEW_COOKIE Jun 22 06:37:54 ro2 slapd[62298]: do_syncrep2: rid=111 NEW_COOKIE: rid=111,csn=20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro2 slapd[62298]: slap_queue_csn: queing 0x8019eca90 20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro2 slapd[62298]: slap_graduate_commit_csn: removing 0x8019ec2b0 20120622063754.599740Z#000000#000#000000 

--

Konstantin Menshikov


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/asterisk.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        sync stats

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb
#moduleload     back_ldap
#moduleload     back_perl

sizelimit 5000

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
#access to dn.base="" by * read
#access to dn.base="cn=Subschema" by * read
access to dn.sub="dc=example,dc=com" by users read

#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# Enable TLS
TLSCACertificatePath /etc/ssl/certs
TLSCertificateFile /etc/ssl/certs/ro.devel.ldap.hostcomm.ru.crt
TLSCertificateKeyFile /etc/ssl/private/ro.devel.ldap.hostcomm.ru.key

# Here, ssf=128 tells OpenLDAP to require 128-bit encryption for all 
connections, both search and update.
security ssf=128
require bind LDAPv3 

#######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "dc=example,dc=com"
rootdn          "cn=ldapadm,dc=example,dc=com"
rootpw          password
directory       /var/db/openldap-data/dc=example

overlay syncprov

index mailLocalAddress pres,eq
index mail pres,eq,sub
index objectClass eq
index uid eq,sub
index entryUUID eq
index cn eq

database config                                                                 
                                        
rootpw PASSW_FOR_CN=CONFIG

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/asterisk.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        sync stats

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
moduleload      back_hdb
# moduleload    back_ldap
#moduleload     back_perl

sizelimit 5000

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
#access to dn.base="" by * read
#access to dn.base="cn=Subschema" by * read
#access to dn="" by * read
#access to dn="cn=Subschema" by * read 

#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# Enable TLS
TLSCACertificatePath /etc/ssl/certs
TLSCertificateFile /etc/ssl/certs/ro.devel.ldap.hostcomm.ru.crt
TLSCertificateKeyFile /etc/ssl/private/ro.devel.ldap.hostcomm.ru.key

# Here, ssf=128 tells OpenLDAP to require 128-bit encryption for all 
connections, both search and update.
security ssf=128
require bind LDAPv3 

#######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "dc=example,dc=com"
rootdn          "cn=ldapadm,dc=example,dc=com"
rootpw          password
directory       /var/db/openldap-data/dc=example


syncrepl rid=111
        provider=ldaps://ro1.devel.ldap.hostcomm.ru
        type=refreshAndPersist
        tls_reqcert=never
        retry="60 +"
        searchbase="ou=TestBranch1,dc=example,dc=com"
        schemachecking=off
        bindmethod=simple
        binddn="cn=ldapadm,dc=example,dc=com"
        credentials="password" 

index mailLocalAddress pres,eq
index mail pres,eq,sub
index objectClass eq
index uid eq,sub
index entryUUID eq
index cn eq


database config                                                                 
                                        
rootpw PASSW_FOR_CN=CONFIG

Reply via email to