<p class="p1">Note: I have searched through years past in 389-users and have found a few others experiencing the same problem, yet I could not find any resolution.</p><p class="p1"><br></p>
<p class="p3"><span class="s1">I am attempting to setup chain on update per <a href="http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate"><span class="s2">http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate</span></a></span></p>
<p class="p2"><br></p>
<p class="p1">The packages installed are:</p>
<p class="p1">389-admin-console-1.1.8-1.el6.noarch</p>
<p class="p1">389-ds-1.2.2-1.el6.noarch</p>
<p class="p1">389-ds-base-1.2.9.14-1.el6_2.2.x86_64</p>
<p class="p1">389-console-1.1.7-1.el6.noarch</p>
<p class="p1">389-admin-console-doc-1.1.8-1.el6.noarch</p>
<p class="p1">389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64</p>
<p class="p1">389-dsgw-1.1.7-2.el6.x86_64</p>
<p class="p1">389-ds-console-1.2.6-1.el6.noarch</p>
<p class="p1">389-ds-console-doc-1.2.6-1.el6.noarch</p>
<p class="p1">389-adminutil-1.1.14-2.el6.x86_64</p>
<p class="p1">389-admin-1.1.25-1.el6.x86_64</p>
<p class="p2"><br></p>
<p class="p1">The justification for use of chain_on_update is that our clients are “dumb” and unable to follow referrals. </p>
<p class="p2"><br></p>
<p class="p1">As a POC, I am testing with two servers: <a href="http://be1.foo.com">be1.foo.com</a> (Master) and <a href="http://be2.foo.com">be2.foo.com</a> (Consumer)</p>
<p class="p2"><br></p>
<p class="p1">Prior to following the instructions in the Howto:ChainOnUpdate (linked above) the environment operated as follows:</p>
<p class="p2"><br></p>
<p class="p1">Scenario A)</p>
<p class="p1"><a href="http://Client.foo.com">Client.foo.com</a> attempts to modify <a href="http://be1.foo.com">be1.foo.com</a> -> Allowed</p>
<p class="p1">Change made by <a href="http://client.foo.com">client.foo.com</a> to <a href="http://be1.foo.com">be1.foo.com</a> is replicated to <a href="http://be2.foo.com">be2.foo.com</a></p>
<p class="p1">Ldapsearch of both searvers shows the item was properly replicated, value is the same on be1 and be2</p>
<p class="p1">-----</p>
<p class="p1">Scenario B)</p>
<p class="p1"><a href="http://Client.foo.com">Client.foo.com</a> attempts to modify <a href="http://be2.foo.com">be2.foo.com</a> -> Not allowed, given referral</p>
<p class="p2"><br></p>
<p class="p1">Upon following the instructions in the aforementioned howto the environment operates as follows:</p>
<p class="p2"><br></p>
<p class="p1">Scenario A)</p>
<p class="p1"><a href="http://Client.foo.com">Client.foo.com</a> attempts to modify <a href="http://be1.foo.com">be1.foo.com</a> -> Allowed</p>
<p class="p1">Change made by <a href="http://client.foo.com">client.foo.com</a> to <a href="http://be1.foo.com">be1.foo.com</a> is replicated to <a href="http://be2.foo.com">be2.foo.com</a></p>
<p class="p1">Ldapsearch of both searvers shows the item was properly replicated, value is the same on be1 and be2</p>
<p class="p1">-----</p>
<p class="p1">Scenario B)</p>
<p class="p1"><a href="http://Client.foo.com">Client.foo.com</a> attempts to modify <a href="http://be2.foo.com">be2.foo.com</a> -> Allowed</p>
<p class="p1">Change made by <a href="http://client.foo.com">client.foo.com</a> *<b>SHOULD</b>* have been handled by the chaining backend and modified on be1</p>
<p class="p1">Ldapsearch of both servers shows the item was modified on be2 but not be1 (be1 still has the old value)</p>
<p class="p2"><br></p>
<p class="p1">It seems the writes from <a href="http://client.foo.com">client.foo.com</a> to <a href="http://be2.foo.com">be2.foo.com</a> are being committed to be local database (userRoot) instead of being handled by the chaining backend (chainbe1). </p>
<p class="p2"><br></p>
<p class="p1">As the howto suggests, I am using the replication manager for the proxy auth. I have confirmed the credentials on all servers.</p>
<p class="p2"><br></p>
<p class="p1">dn: cn=dc\3Dfoo\2Cdc\3Dcom,cn=mapping tree,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">objectClass: nsMappingTree</p>
<p class="p1">cn: "dc=foo,dc=com"</p>
<p class="p1">nsslapd-state: backend</p>
<p class="p1">nsslapd-backend: userRoot</p>
<p class="p1">nsslapd-backend: chainbe1</p>
<p class="p1">nsslapd-distribution-plugin: libreplication-plugin.so</p>
<p class="p1">nsslapd-distribution-funct: repl_chain_on_update</p>
<p class="p2"><br></p>
<p class="p1">dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">objectClass: nsBackendInstance</p>
<p class="p1">cn: userRoot</p>
<p class="p1">numSubordinates: 7</p>
<p class="p1">nsslapd-suffix: dc=foo,dc=com</p>
<p class="p1">nsslapd-cachesize: -1</p>
<p class="p1">nsslapd-cachememsize: 10485760</p>
<p class="p1">nsslapd-readonly: off</p>
<p class="p1">nsslapd-require-index: off</p>
<p class="p1">nsslapd-directory: /var/lib/dirsrv/slapd-be2/db/userRoot</p>
<p class="p1">nsslapd-dncachememsize: 10485760</p>
<p class="p2"><br></p>
<p class="p1">dn: cn=replica,cn=dc\3Dfoo\2Cdc\3Dcom,cn=mapping tree,cn=config</p>
<p class="p1">objectClass: nsDS5Replica</p>
<p class="p1">objectClass: top</p>
<p class="p1">nsDS5ReplicaRoot: dc=foo,dc=com</p>
<p class="p1">nsDS5ReplicaType: 2</p>
<p class="p1">nsDS5Flags: 0</p>
<p class="p1">nsds5ReplicaPurgeDelay: 604800</p>
<p class="p1">nsDS5ReplicaBindDN: cn=replication manager,cn=replication,cn=config</p>
<p class="p1">cn: replica</p>
<p class="p1">nsDS5ReplicaId: 6553</p>
<p class="p1">nsDS5ReplicaName: ((REDACTED FOR EMAIL THREAD))</p>
<p class="p2"><br></p>
<p class="p1">dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">objectClass: nsBackendInstance</p>
<p class="p1">cn: chainbe1</p>
<p class="p1">nsslapd-suffix: "dc=foo,dc=com"</p>
<p class="p1">nsfarmserverurl: ldap://<a href="http://be1.foo.com/">be1.foo.com/</a></p>
<p class="p1">nsmultiplexorbinddn: cn=replication manager,cn=replication,cn=config</p>
<p class="p1">nschecklocalaci: off</p>
<p class="p1">nsusestarttls: on</p>
<p class="p1">nsbindmethod:</p>
<p class="p1">nsmultiplexorcredentials: {DES}((REDACTED FOR EMAIL THREAD))</p>
<p class="p2"><br></p>
<p class="p1">dn: cn=config,cn=chaining database,cn=plugins,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">cn: config</p>
<p class="p1">nstransmittedcontrols: 2.16.840.1.113730.3.4.2</p>
<p class="p1">nstransmittedcontrols: 2.16.840.1.113730.3.4.9</p>
<p class="p1">nstransmittedcontrols: 1.2.840.113556.1.4.473</p>
<p class="p1">nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12</p>
<p class="p1">nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=certificate-based authentication,cn=component</p>
<p class="p1">s,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=password policy,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=sasl,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=roles,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=referential integrity postoperation,cn=plugin</p>
<p class="p1">s,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=attribute uniqueness,cn=plugins,cn=config</p>
<p class="p2"><br></p>
<p class="p2"><br></p>
<p class="p1">Any help in getting ChainOnUpdate to work with my 389 servers would be greatly appreciated. </p>
<p class="p2"><br></p>
<p class="p1">Thanks in advance!</p>
<p class="p2"><br></p>
<p class="p1">Jim Finn</p>
<p class="p2"><br></p>