Hi,
We're currently using 389ds as a backend for sssd and would like to try to improve the performance by enabling USN on the server side. Our current architecture, however, hides the individual client facing ldap servers behind a load-balanced VIP so the client never actually knows which backend it may hit. This poses a problem with USNs because successive requests may not hit the same server and the USNs are local to the server and explicitily not replicated. I understand why this is the case (so that multimaster configs work correctly) but we only run a single master that replicates out to the client-facing ldap servers (which in turn refer any updates back to the master).
It sounds like we would actually *want* to force the replication of the USNs out to the client facing servers (so that it doesn't matter which backend you hit, the numbers will always match) but I can't figure out how to do that (or even if it is possible). The USN plugin adds 'EXCLUDE entryusn' to the default nsDS5ReplicatedAttributeList on startup and my attempts to override it this on the individual replication agreemetns have, thus far, not worked.
Is there some way to make this setup work with USNs?
Thanks...