On 5/15/07, <b class="gmail_sendername">Richard Megginson</b> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Bjorn Oglefjorn wrote:<br>> On 5/15/07, *Richard Megginson* <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>> wrote:
<br>><br>> Bjorn Oglefjorn wrote:<br>> > That's the problem Richard, I'm not sure how it happens. I can tell<br>> > you this much though. I am using NSUniqueID as a globally unique id
<br>> > for a one-way sync agreement to a specific application (from FDS to<br>> > the application). The requirement for the globally unique id is<br>> that<br>> > it never changes. If it somehow does change, the sync process
<br>> > provides an error stating that the globally unique ids in FDS<br>> and the<br>> > application no longer match. I can't determine exactly what is<br>> > causing this change, but I do know that it is happening.
<br>> But how does the sync process/application determine that the unique ID<br>> has changed? And is it possible that some application is writing<br>> to the<br>> nsUniqueID attribute and changing its value externally? Are you using
<br>> replication?<br>><br>><br>> There is no application that has write access to our LDAP user tree.<br>> I am using a dual multi-master replication setup. What about<br>> replication would cause the NSUniqueID to change?
<br>If you delete an entry then add it back with the same DN and mail value,<br>it will generate a new nsUniqueID for the new entry. Also, certain<br>replication operations may generate replication conflict entries. In<br>
this case, you could see two entries with the same mail attribute but<br>different nsUniqueID values and different DNs.</blockquote><div><br>The entry was not deleted, only the mail attribute was modified. The RDN contains the uid of the entry.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">To check for this, do a search for each of the "duplicate" nsUniqueID
<br>values using a search filter like this:<br>(|(nsuniqueid=value1)(objectclass=nsTombstone))<br>and<br>(|(nsuniqueid=value2)(objectclass=nsTombstone))</blockquote><div><br>The first filter returns nothing (implying that there are no entries in the directory with objectclass=nsTombstone). The second filter returns the entry in question. That seems to be what one would normally expect if there hadn't been a change in the nsuniqueid, correct?
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">><br>> For example, does your sync app do something like this:<br>> get entry by name
e.g . (uid=somename). Store the nsUniqueID for<br>> the entry.<br>> Then later, do the same search (uid=somename) and get the nsUniqueID.<br>> Compare the nsUniqueID to the one stored previously.<br>
><br>><br>> That is nearly exactly how the sync application works. For any entry<br>> that the application keeps track of, it keeps a 'lastseen' LDIF. on<br>> the next run of the sync, a search is performed and the LDIFs are
<br>> compared.<br>><br>> If this is the case, is it possible that the uid for the entry has<br>> changed?<br>><br>><br>> No, the only change made to the entry in question was to the 'mail'
<br>> attribute.<br>><br>> > --BO<br>> ><br>> > On 5/15/07, *Richard Megginson* <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>> <mailto:<a href="mailto:rmeggins@redhat.com">
rmeggins@redhat.com</a>><br>> > <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>> wrote:<br>> >
<br>> > Bjorn Oglefjorn wrote:<br>> > > Hello all,<br>> > ><br>> > > Can someone tell me, does the NSUniqueID attribute ever<br>> change for a<br>> > > given entry in the directory?
<br>> > No.<br>> > > If so (I've seen it happen),<br>> > Can you describe exactly what you saw and how to reproduce it?<br>> > > what are the criteria that prompt NSUniqeID to change?
<br>> > ><br>> > > Thanks,<br>> > > BO<br>> > ><br>> ><br>> ------------------------------------------------------------------------<br>
> > ><br>> > > --<br>> > > Fedora-directory-users mailing list<br>> > > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com
</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>><br>> > <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com
</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>>><br>> > > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>> > <<br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users
</a>><br>> > ><br>> ><br>> > --<br>> > Fedora-directory-users mailing list<br>> > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com
</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>><br>> > <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com
</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>>><br>> > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users
</a><br>> ><br>> ><br>> ><br>> ><br>> ------------------------------------------------------------------------<br>> ><br>> > --<br>> > Fedora-directory-users mailing list
<br>> > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>>
<br>> > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>> <<a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>><br>> ><br>><br>> --<br>> Fedora-directory-users mailing list<br>> <a href="mailto:Fedora-directory-users@redhat.com">
Fedora-directory-users@redhat.com</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>><br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>><br>><br>><br>> ------------------------------------------------------------------------<br>><br>> --<br>> Fedora-directory-users mailing list
<br>> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users
</a><br>><br><br>--<br>Fedora-directory-users mailing list<br><a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br><br><br></blockquote></div><br>