[389-users] memberOf pluging and multimaster replication

Fri Oct 2 22:48:21 UTC 2015

On 10/02/2015 12:16 PM, ghiureai wrote:
>
>
> Hi List and Rich,
>
> as per last documentation update I am trying to cfg fractional 
> replication ( excluding memberOf plunging)  for a multimaster cfg 
> server 3 ldap server, when starting with first one aftr mentioning 
> "memberOf " to be excluded in replication agreement , I get a message 
> like this ""Fractional replication can be done to a read-only suffix 
> in replica "...is this the case , so no multimaster will work with 
> fractional replication ? , or any other issue to get with message ?
> I am following same procedure as for mutimaster replication except the 
> agreement has  fractional replication , is this the correct approach ?

The ability to create multi-master fractional replication agreements has 
been supported since 2008 (freeipa uses this feature heavily). However, 
I don't know if we have ever tested this using the console, or told the 
console to allow this.  I'm assuming you are attempting to get this to 
work with the console?  If so, then try it with the command line 
instructions.

> Thank you
> Isabella
>
>
> Isabella
>
> On 10/01/2015 11:49 AM, ghiureai wrote:
>> Hi  List ,Rich
>> Here is the URL for the doc mentioned in this email, please can you
>> confirm if this is the case for multimaster replication and memberOf
>> plugin , is this the last update doc version ?
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof 
>>
>>
>> Thank you
>> Isabella
>>    On 10/01/2015 11:20 AM, Rich Megginson wrote:
>>> On 10/01/2015 12:06 PM, ghiureai wrote:
>>>> Hi Rich
>>> Unless the issue involves some sort of security problem that involves a
>>> potential CVE, or contains sensitive data internal to your organization
>>> that you cannot make public, I would prefer that you use the
>>> 389-users at lists.fedoraproject.org for questions such as this. Not only
>>> will this benefit the entire community, but there are others who can
>>> answer these sorts of questions.
>>>
>>>
>>>> Are you aware of any issues with MemberOf plugin and multimaster
>>>> replication, some of old documentation one of the developer mentioned
>>>> to me shows you can use full replication agreement ,
>>> Please provide the URL of the documentation.
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof 
>>
>>
>>>> please see bellow and if you can advise if this is still the case :
>>>>
>>>> "......The memberOf attributes for user entries should not be
>>>> replicated in multi-master environments. Make sure that the memberOf
>>>> attribute is excluded from replication in the replication agreement.
>>>> (Fractional replication is described in Section 11.1.7, “Replicating a
>>>> Subset of Attributes with Fractional Replication”.)
>>>> Each server must maintain its own MemberOf Plug-in independently. To
>>>> make sure that the memberOf attributes for entries are the same across
>>>> servers, simply configure the MemberOf Plug-in the same on all 
>>>> servers.
>>>> With single-master replication, it is perfectly safe to replicate
>>>> memberOf attributes. Configure the MemberOf Plug-in for the supplier,
>>>> then replicate the memberOf attributes to the consumers. ....."
>>> Yes, in general it is better to replicate the group operations only, 
>>> and
>>> let each directory server update the internal memberof data. This
>>> reduces the amount of replication traffic, and reduces the complexity
>>> and processing in the memberof plugin to know if it needs to include or
>>> exclude an operation.
>>>
>>>> Thank you
>>>> Isabella
>>>>
>