Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software

361

362

363

364

365

366

367

368

369

370

For more information on the ldapmodify command, see Section 2, “Managing Entries from the

Command-Line” and the Directory Server Configuration, Command, and File Reference.

18.2. Solving Orphan Entry Conflicts

When a delete operation is replicated and the consumer server finds that the entry to be deleted

has child entries, the conflict resolution procedure creates a glue entry to avoid having

orphaned entries in the directory.

In the same way, when an add operation is replicated and the consumer server cannot find the

parent entry, the conflict resolution procedure creates a glue entry representing the parent so

that the new entry is not an orphan entry.

Glue entries are temporary entries that include the object classes glue and extensibleObject.

Glue entries can be created in several ways:

• If the conflict resolution procedure finds a deleted entry with a matching unique identifier, the

glue entry is a resurrection of that entry, with the addition of the glue object class and the

nsds5ReplConflict attribute.

In such cases, either modify the glue entry to remove the glue object class and the

nsds5ReplConflict attribute to keep the entry as a normal entry or delete the glue entry and

its child entries.

• The server creates a minimalistic entry with the glue and extensibleObject object classes.

In such cases, modify the entry to turn it into a meaningful entry or delete it and all of its child

entries.

18.3. Solving Potential Interoperability Problems

For reasons of interoperability with applications that rely on attribute uniqueness, such as a mail

server, it may be necessary to restrict access to the entries which contain the

nsds5ReplConflict attribute. If access is not restricted to these entries, then the applications

requiring one attribute only pick up both the original entry and the conflict resolution entry

containing the nsds5ReplConflict, and operations will fail.

To restrict access, modify the default ACI that grants anonymous read access:

ldapmodify -h hostname -D "cn=Directory Manager" -w password

> dn: dc=example,dc=com

> changetype: modify

> delete: aci

> aci: (target ="ldap:///dc=example,dc=com")(targetattr

!="userPassword")(version 3.0;acl "Anonymous read-search

access";allow (read, search, compare)(userdn = "ldap:///anyone");)

> -

> add: aci

> aci: (target="ldap:///dc=example,dc=com")(targetattr!="userPassword")

Chapter 8. Managing Replication

346