Hi William,
Referring to the entries by nsuniqueid is one fundamental point of the replication protocol. dn are not reliable enough to identify an entry (remember that entries may be renamed and that replication protocol is asynchronous. nsuniqueid was created to be able to identify uniquely an entry among the replicas)
When sending an update the supplier add a special control to the replayed operation containing the nsuniqueid, the csn and some other data, the consumer use the control to get these data and although the operation is logged with the original dn, it is applied on the entry with the nsuniqueid.
Regards
Pierre
Referring to the entries by nsuniqueid is one fundamental point of the replication protocol. dn are not reliable enough to identify an entry (remember that entries may be renamed and that replication protocol is asynchronous. nsuniqueid was created to be able to identify uniquely an entry among the replicas)
When sending an update the supplier add a special control to the replayed operation containing the nsuniqueid, the csn and some other data, the consumer use the control to get these data and although the operation is logged with the original dn, it is applied on the entry with the nsuniqueid.
Regards
Pierre
On Fri, Jan 12, 2024 at 12:02 AM William Faulk <d4hgcdgdmj@liamekaens.com> wrote:
Sorry. I did confirm that the nsuniqueid of the bad replica's active entry is different from the other replicas' entries and I forgot to say that. (The conflict entry's nsuniqueid and the entries on the good replicas match, too.) Here are the entries, with names and crypto stuff redacted, but everything else verbatim:
good: https://pastebin.com/N2AZNXAH
bad: https://pastebin.com/MMMzqwN3
My concern is that the access logs seem to contradict what Pierre said: that replicated deletes are basing the delete on the nsuniqueid. If I can get a confirmation that the logs are lying to me, that's fine. I just want to be doubly sure.
That said, I then have a concern about the group memberships on the conflict entry once it's renamed. I can't imagine that it will acquire the correct groups just by being renamed. Am I going to just need to fix that up manually? (That may be outside the scope of this mailing list.)
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
389 Directory Server Development Team
389 Directory Server Development Team
No comments:
Post a Comment