--On Tuesday, August 4, 2020 9:47 AM +0000 Jonathan Steel <[email protected]>
wrote:
This says it is adding "cn=mygroup", and there is a constraint violation
of some sort. You'd need to provide significantly more detail about
your setup as you seem to have some set of overlays in use that you
haven't disclosed.
This uses the memberOf overlay.
The entry it is having an issue adding is this one. I believe it is
because those users do not yet exist, because syncrepl decides to try and
sync this entry before the users.
What is the exact configuration of your memberOf overlay? It would appear,
for example, that it's doing referential integrity or similar.
The slapo-memberof(5) man page explicitly contains the following:
"Note that slapo-memberOf is not compatible with syncrepl based
replication, and should not be used in a replicated environment."
The reason that note is there is due in part to what you're experiencing
now -- If the group is replicated before the users exist those users will
not have the memberOf attribute added when using a default memberOf
configuration.
Your scenario seems to trigger additional problematic behavior which is why
I'm asking for the exact configuration. It could be useful in the future
for testing.
There's been significant work for OpenLDAP 2.5 to allow slapo-dynlist to be
an alternative to slapo-memberOf in a replicated environment as it does not
suffer from the replication related issues.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
