[389-users] memberOf pluging and multimaster replication

[Rich Megginson]

On 10/01/2015 12:49 PM, ghiureai wrote:
> Hi List ,Rich
> Here is the URL for the doc mentioned in this email, please can you 
> confirm if this is the case for multimaster replication and memberOf 
> plugin , is this the last update doc version ?

Here is the latest doc version 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Advanced_Entry_Management.html#memberof-topology

And yes, I can confirm that it is the case - we recommend _not_ to 
replicate memberof attributes.

>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof 
>
>
> Thank you
> Isabella
>  On 10/01/2015 11:20 AM, Rich Megginson wrote:
>> On 10/01/2015 12:06 PM, ghiureai wrote:
>>> Hi Rich
>> Unless the issue involves some sort of security problem that involves a
>> potential CVE, or contains sensitive data internal to your organization
>> that you cannot make public, I would prefer that you use the
>> 389-users at lists.fedoraproject.org for questions such as this. Not only
>> will this benefit the entire community, but there are others who can
>> answer these sorts of questions.
>>
>>
>>> Are you aware of any issues with MemberOf plugin and multimaster
>>> replication, some of old documentation one of the developer mentioned
>>> to me shows you can use full replication agreement ,
>> Please provide the URL of the documentation.
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof 
>
>
>>
>>> please see bellow and if you can advise if this is still the case :
>>>
>>> "......The memberOf attributes for user entries should not be
>>> replicated in multi-master environments. Make sure that the memberOf
>>> attribute is excluded from replication in the replication agreement.
>>> (Fractional replication is described in Section 11.1.7, “Replicating a
>>> Subset of Attributes with Fractional Replication”.)
>>> Each server must maintain its own MemberOf Plug-in independently. To
>>> make sure that the memberOf attributes for entries are the same across
>>> servers, simply configure the MemberOf Plug-in the same on all servers.
>>> With single-master replication, it is perfectly safe to replicate
>>> memberOf attributes. Configure the MemberOf Plug-in for the supplier,
>>> then replicate the memberOf attributes to the consumers. ....."
>> Yes, in general it is better to replicate the group operations only, and
>> let each directory server update the internal memberof data. This
>> reduces the amount of replication traffic, and reduces the complexity
>> and processing in the memberof plugin to know if it needs to include or
>> exclude an operation.
>>
>>> Thank you
>>> Isabella
>>>
>