Re: Replication of LDAP extended operations

[Howard Chu <hyc@symas.com>]

Erco Argante (RY/ETM) wrote:
> Hi,
>
> I've configured a master slapd for replication, which nicely produces
> entries in the replication log file for LDAP add/modify/delete
> operations. However, when the master slapd receives an LDAP extended
> operation (that modifies the LDAP DIT), which is successfully processed,
> no entry is made in the replication log file. Consequently, slurpd will
> not send the LDAP extended operation to slave slapd's and the slave DITs
> will not be updated.
>
> "Man slapd.replog(5)" does not mention anything about LDAP extended
> operations.
>   

The slurpd replog is based on the LDIF specification, which does not 
provide any mechanism for denoting extended operations. So simply put, 
it is impossible for slurpd to replicate extended operations.

The auditlog format that I've designed, which is used in OpenLDAP 
delta-syncrepl, addresses this and many other shortcomings in the LDIF 
spec.  http://www.ietf.org/internet-drafts/draft-chu-ldap-logschema-00.txt
> Have I made an error and should this normally work?
>
> Is it a deliberate choice of Open LDAP to not implement this
> functionality, or might this functionality be added in future slapd
> implementations?
>   
> Is there a workaround for this problem other than not using LDAP
> extended operations?
>   
The workaround used for the passwordModify exop code in OpenLDAP is to 
internally re-issue the desired changes as a standard Modify operation. 
This is the most reliable way to get the changes propagated.

Going forward, slurpd will be dropped from the code base and only 
syncrepl-based replication mechanisms will be supported.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/