I am trying to configure a 2 LDAP directory server system that allows updates to occur (from a user) on server 1 and server 2 with server 1 replicating changes to server 2 via the refresh and persist method of syncrepl. Only a small number of records will be updated by users on server 2 (5,000 records) and the changes will be made only within 2 unique branches of the tree (ounit=system,dc=authentx and permissions=dxy,ounit=permissions,dc=authentx); any records that are updated/added/deleted by users on server 2 must not be replicated to server 1. Replication is one-way from server 1 from server 2. Replication works fine if both the provider and consumer servers are up. The problem I am having occurs when server 2’s consumer slapd starts and a refresh present phase occurs (a refresh present phase occurs if changes are made to the provider while the consumer is down and then the provider slapd is bounced (stopped/restarted).
In scenario 1, I defined the consumer to replicate everything from the provider. When the refresh present occurs on the consumer, the consumer slapd deletes any records that were previously added by a user at server 2. My understanding is that this is the normal behavior.
In scenario 2, I defined the consumer to replicate only certain branches from the provider by specifying a “filter” statement in the “syncrepl” section of the slapd.conf file. When the refresh present occurs on the consumer, the consumer slapd deletes numerous records within some of the branches that were specified in the filter statement. For example, my syncrepl statement is:
syncrepl rid=001
provider=ldap://localhost:3891
type=refreshAndPersist
retry="30 60 60 +"
searchbase="dc=authentx"
filter="(|(entrydn:dnSubtreeMatch:=ounit=credentials,dc=authentx)
(entrydn:dnSubtreeMatch:=ounit=entities,dc=authentx)
(entrydn:dnSubtreeMatch:=permissions=authentx,ounit=permissions,dc=authentx)
(entrydn:dnSubtreeMatch:=permissions=hspd12,ounit=permissions,dc=authentx))"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=xroot,dc=authentx"
credentials="SECRET"
mirrormode on
The consumer slapd did not delete records incorrectly when I tested with a 3,000 record database, but when I tested with a 750,000 record database, when the refresh present occurs on the consumer, the consumer slapd deletes numerous records within some of the branches that were specified in the filter statement (these are deleted by the syncrepl_del_nonpresent() function, based on messages in the slapd log file with sync debug turned on). The 750,000 record database provider has records in the following branches:
ounit=credentials,dc=authentx (300,000+ records)
ounit=entities,dc=authentx (20,000+ records)
permissions=authentx,ounit=permissions,dc=authentx (6 records)
permissions=dxy,ounit=permissions,dc=authentx (4,000+ records)
permissions=hspd12,ounit=permissions,dc=authentx (50,000+ records)
ounit=system,dc=authentx (13 records)
After the sync refresh phase occurred on the consumer, the consumer database has records in the following branches:
ounit=credentials,dc=authentx (300,000+ records)
ounit=entities,dc=authentx (20,000+ records)
permissions=authentx,ounit=permissions,dc=authentx (0 records)
permissions=dxy,ounit=permissions,dc=authentx (0 records)
permissions=hspd12,ounit=permissions,dc=authentx (0 records)
ounit=system,dc=authentx (0 records)
In scenario 3, I defined the consumer as a multi-master consumer by specifying the “overlay syncprov” section in the slapd.conf file. When a "Refresh Present" phase is performed at a multi-master consumer, objects that were deleted at the provider while the consumer was down are not deleted from the multi-master consumer (if the provider is brought down and back up after the consumer is down). I wrote ITS#6671 for this problem.
Does anyone have any suggestions on how I can accomplish my requirements for the 2 servers?
Barry Colston