Thursday, January 11, 2024

[389-users] Re: Solving naming conflicts in replicated environment

Hi William,

Referring to the entries by nsuniqueid is one fundamental point of the replication protocol. dn are not reliable enough to identify an entry (remember that entries may be renamed and that replication protocol is asynchronous. nsuniqueid was created to be able to identify uniquely an entry among the replicas)
When sending an update the supplier add a special control to the replayed operation containing the nsuniqueid, the csn and some other data, the consumer use the control to get these data and although the operation is logged with the original dn, it is applied on the entry with the nsuniqueid. 


On Fri, Jan 12, 2024 at 12:02 AM William Faulk <> wrote:
Sorry. I did confirm that the nsuniqueid of the bad replica's active entry is different from the other replicas' entries and I forgot to say that. (The conflict entry's nsuniqueid and the entries on the good replicas match, too.) Here are the entries, with names and crypto stuff redacted, but everything else verbatim:


My concern is that the access logs seem to contradict what Pierre said: that replicated deletes are basing the delete on the nsuniqueid. If I can get a confirmation that the logs are lying to me, that's fine. I just want to be doubly sure.

That said, I then have a concern about the group memberships on the conflict entry once it's renamed. I can't imagine that it will acquire the correct groups just by being renamed. Am I going to just need to fix that up manually? (That may be outside the scope of this mailing list.)
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:


389 Directory Server Development Team

No comments:

Post a Comment