HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

381

382

383

384

385

386

387

388

389

390

Glue entries are temporary entries that include the object classes glue and extensibleObject.

Glue entries can be created in several ways:

• If the conflict resolution procedure finds a deleted entry with a matching unique identifier,

the glue entry is a resurrection of that entry, with the addition of the glue object class and

the nsds5ReplConflict attribute.

In such cases, either modify the glue entry to remove the glue object class and the

nsds5ReplConflict attribute to keep the entry as a normal entry or delete the glue entry

and its child entries.

• The server creates a minimalistic entry with the glue and extensibleObject object

classes.

In such cases, modify the entry to turn it into a meaningful entry or delete it and all its child

entries.

8.18.3 Solving potential interoperability problems

For reasons of interoperability with applications that rely on attribute uniqueness, such as a mail

server, it may be necessary to restrict access to the entries that contain the nsds5ReplConflict

attribute. If access is not restricted to these entries, then the applications requiring one attribute

only pick up both the original entry and the conflict resolution entry containing the

nsds5ReplConflict, and operations will fail.

To restrict access, modify the default ACI that grants anonymous read access:

ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: dc=example,dc=com

changetype: modify

delete: aci

aci: (target ="ldap:///dc=example,dc=com")(targetattr

!="userPassword")(version 3.0;acl "Anonymous read-search

access";allow (read, search, compare)(userdn = "ldap:///anyone");)

add: aci

aci: (target="ldap:///dc=example,dc=com")(targetattr!="userPassword")

(targetfilter="(!(nsds5ReplConflict=*))")(version 3.0;acl

"Anonymous read-search access";allow (read, search, compare)

(userdn="ldap:///anyone");)

The new ACI filters out all entries that contain the nsds5ReplConflict attribute from search

results.

For more information on the ldapmodify command, see “Managing entries from the command

line” and the HP-UX Directory Server configuration, command, and file reference.

8.19 Troubleshooting replication-related problems

This section lists some error messages, explains possible causes, and offers remedies.

It is possible to get more debugging information for replication by setting the errors log level to

8192, which is replication debugging. See “Troubleshooting replication-related problems”.

To change the errors log level to 8192, run the following ldapmodify command:

dn: cn=config

changetype: modify

replace: nsslapd-errorlog-level

nsslapd-errorlog-level: 8192

Because log level is additive, running the above command will result in excessive messages in

the errors log. So, use it judiciously.

To turn off replication debugging log, set the same attribute to 0.

8.19 Troubleshooting replication-related problems 389