[389-users] memberof entries not appearing in replica with memberof plugin

Nathan Kinder nkinder at redhat.com
Wed Nov 11 16:04:39 UTC 2009

On 11/10/2009 08:35 PM, John A. Sullivan III wrote:
> Hello, all.  I'm running CentOS Directory Server 8.1 on CentOS 5.4.  For
> some reason, the memberof plugin does not seem to be working on the
> replica.  My first suspicion is we have done something wrong but I
> wonder if there is an error in the documentation.  Here are the details.
> We are single master setup with a single replica.  We noticed some of
> our LDAP queries were not correctly detecting group membership.  We
> double checked the memberofplugin configuration and, for some reason, it
> seem to have reverted to looking at member instead of uniquemember.  We
> changed this on the master and our problem went away.
> However, in the process of double-checking our steps, we read that the
> memberof attribute should NOT be replicated.  We had not excluded it.
> So, we destroyed the replication agreement, created a new fractional
> replication enabled one, and reinitialized the replica.  All of the
> memberof information was missing from all users on the replica.  We then
> tried to rebuild it by running the fixup-memberof.pl script.  That
> didn't work.  We then simply tried deleting users from groups and adding
> them to see if that would work. It worked fine on the master but not on
> the replica.
> Is the documentation in error and replication of memberof should be
> excluded only in multimaster but should be propagated to consumers or
> have we done something wrong? I compared the memberofplugin definitions
> in dse.ldif on both and they look identical including being enabled.
> Nothing is jumping out in the error or audit logs.
The only reason for using fractional replication to exclude the memberOf
attribute is to avoid any sort of dangling membership issue when using
multi-master replication.  In your single-master replication setup, you
only need to configure the memberOf plug-in on your master, not the
replica.  You can then safely replicate the memberOf attribute since a
single-master replication scenario has no chance for conflicting changes
from separate masters.

Please open a documentation bug on this so we can get things cleared up
in the manuals.
> We eventually added memberof to the replication agreement and
> resynchronized just to get the data across.  We've pulled it back out
> and, as expected, any changes are not replicating.  What are we doing
> wrong? Where do we look next to troubleshoot it? Thanks - John

More information about the Fedora-directory-users mailing list