[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Replicating from a mirrormode pair to a read-only server
On Wed, Sep 22, 2010 at 10:00:29AM +0200, Jonathan CLARKE wrote:
>> The slave has one entry where pwdAccountLockedTime is missing. This
>> is an account that was locked by admin action between the initial load
>> data being dumped from the master server and the new slave being started
>> up, so it should have been replicated from one master or the other by
>> syncrepl. Every other attribute in the entry is identical, including the
>> modifyTimestamp which records when the pwdAccountLockedTime attribute
>> was added. I know that the entry did not change after that, as I have
>> a full changelog on both masters.
>
> This is most likely a separate issue. Updates to the ppolicy operational
> attributes are not replicated like "standard" changes, but instead written
> directly into the local database. So it's to be expected that you see
> differences on these attributes between syncrepl consumers/providers.
That is true for updates that result from local Bind operations
(recording password failures, lockouts due to password failures etc).
In my case the missing update reflected administrative action taken
on the master server, and thus it should have propagated. The
modifyTimestamp did propagate, but the actual admin action did not...
> See the ppolicy_forward_updates option in slapo-ppolicy(5) for details and
> a possible workaround.
That only applies to a Bind-induced change propagating against the
normal flow of replication. My case was the reverse. Unfortunately the
machines concerned are now in production service so it will be hard to
replicate the circumstances.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------