[389-users] memberOf pluging and multimaster replication

Rich Megginson rmeggins at redhat.com
Mon Oct 5 15:13:52 UTC 2015 

On 10/05/2015 08:57 AM, ghiureai wrote:
>
>
> Gmorning List and Rich,
>
> I manged some progress Friday with cfg multimaster replication 
> fractional ( exclude memberOf plugin)  the final goal  is to have 3 
> ldap 's aka : 1,2 and 4 in mutlimaster fraction rep.
>  I had cfg  dlap 2 to 4  as mutimaster , now I would like to bring in 
> ldap1 in cfg ( this is at present time our only production , all 
> writes+ read s are going here) ,
> we  can not  have ldap1 offline I will like to proceed with cfg the 
> same steps I did for 2 to 4, but I will ask ldap 2 to be initialized 
> with most recent data from ldap1 , any issues here I may have to be 
> aware ?

No.  You can initialize 2 from 1 while 1 is running.

> Would ldap4 get updated also when performing the initialization of 
> ldap2 ?

No.  After 2 is initialized, you can initialize 4 from either 1 or 2.

>
> Thank you
> Isabella
>
>
> have On 10/02/2015 03:48 PM, Rich Megginson wrote:
>> On 10/02/2015 12:16 PM, ghiureai wrote:
>>>
>>> Hi List and Rich,
>>>
>>> as per last documentation update I am trying to cfg fractional
>>> replication ( excluding memberOf plunging)  for a multimaster cfg
>>> server 3 ldap server, when starting with first one aftr mentioning
>>> "memberOf " to be excluded in replication agreement , I get a message
>>> like this ""Fractional replication can be done to a read-only suffix
>>> in replica "...is this the case , so no multimaster will work with
>>> fractional replication ? , or any other issue to get with message ?
>>> I am following same procedure as for mutimaster replication except the
>>> agreement has  fractional replication , is this the correct approach ?
>>
>>> Thank you
>>> Isabella
>>>
>>>
>>> Isabella
>>>
>>> On 10/01/2015 11:49 AM, ghiureai wrote:
>>>> Hi  List ,Rich
>>>> Here is the URL for the doc mentioned in this email, please can you
>>>> confirm if this is the case for multimaster replication and memberOf
>>>> plugin , is this the last update doc version ?
>>>>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof 
>>>>
>>>>
>>>>
>>>> Thank you
>>>> Isabella
>>>>     On 10/01/2015 11:20 AM, Rich Megginson wrote:
>>>>> On 10/01/2015 12:06 PM, ghiureai wrote:
>>>>>> Hi Rich
>>>>> Unless the issue involves some sort of security problem that 
>>>>> involves a
>>>>> potential CVE, or contains sensitive data internal to your 
>>>>> organization
>>>>> that you cannot make public, I would prefer that you use the
>>>>> 389-users at lists.fedoraproject.org for questions such as this. Not 
>>>>> only
>>>>> will this benefit the entire community, but there are others who can
>>>>> answer these sorts of questions.
>>>>>
>>>>>
>>>>>> Are you aware of any issues with MemberOf plugin and multimaster
>>>>>> replication, some of old documentation one of the developer 
>>>>>> mentioned
>>>>>> to me shows you can use full replication agreement ,
>>>>> Please provide the URL of the documentation.
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof 
>>>>
>>>>
>>>>
>>>>>> please see bellow and if you can advise if this is still the case :
>>>>>>
>>>>>> "......The memberOf attributes for user entries should not be
>>>>>> replicated in multi-master environments. Make sure that the memberOf
>>>>>> attribute is excluded from replication in the replication agreement.
>>>>>> (Fractional replication is described in Section 11.1.7, 
>>>>>> “Replicating a
>>>>>> Subset of Attributes with Fractional Replication”.)
>>>>>> Each server must maintain its own MemberOf Plug-in independently. To
>>>>>> make sure that the memberOf attributes for entries are the same 
>>>>>> across
>>>>>> servers, simply configure the MemberOf Plug-in the same on all
>>>>>> servers.
>>>>>> With single-master replication, it is perfectly safe to replicate
>>>>>> memberOf attributes. Configure the MemberOf Plug-in for the 
>>>>>> supplier,
>>>>>> then replicate the memberOf attributes to the consumers. ....."
>>>>> Yes, in general it is better to replicate the group operations only,
>>>>> and
>>>>> let each directory server update the internal memberof data. This
>>>>> reduces the amount of replication traffic, and reduces the complexity
>>>>> and processing in the memberof plugin to know if it needs to 
>>>>> include or
>>>>> exclude an operation.
>>>>>
>>>>>> Thank you
>>>>>> Isabella
>>>>>>
>

More information about the 389-users mailing list