15.10. Managing Attributes Within Fractional Replication
memberOfcalculations) are run.
nsDS5ReplicatedAttributeListattribute. This attribute is part of the replication agreement and it can be configured in the replication agreement wizard in the web console or through the command line when the replication agreement is created.
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof authorityRevocationList accountUnlockTime
(objectclass=*) $ EXCLUDEpart in the value of the
nsDS5ReplicatedAttributeListattribute. If you edit the attribute directly, for example using the
ldapmodifyutility, you must specify this part together with the list of attributes as displayed in the example above. However, both the
dsconfand web console automatically add the
(objectclass=*) $ EXCLUDEpart, and you must only specify the attributes.
15.10.1. Setting Different Fractional Replication Attributes for Total and Incremental Updates
nsDS5ReplicatedAttributeListis the primary fractional replication attribute. If only
nsDS5ReplicatedAttributeListis set, then it applies to both incremental updates and total updates. If both
nsDS5ReplicatedAttributeListTotalare set, then
nsDS5ReplicatedAttributeListonly applies to incremental updates.
memberOfattribute is added to an entry, a memberOf fixup task is run to resolve the group membership. This can cause overhead on the server if that task is run every time replication occurs. Since a total update only occurs for a database which is newly-added to replication or that has been offline for a long time, running a memberOf fixup task after a total update is an acceptable option. In this case, the
memberOfso it is excluded from incremental updates, but
nsDS5ReplicatedAttributeListTotaldoes not list
memberOfso that it is included in total updates.
nsDS5ReplicatedAttributeListattribute for the replication agreement. For example:
nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof
nsDS5ReplicatedAttributeListattribute, use the
dsconf repl-agmt setcommand. For example:
# dsconf -D "cn=Directory Manager" ldap://supplier.example.com repl-agmt set \ --suffix="suffix" --frac-list="authorityRevocationList accountUnlockTime memberof" \ agreement_name
nsDS5ReplicatedAttributeListis the only attribute set, then that list applies to both incremental and total updates. To set a separate list for total updates, add the
nsDS5ReplicatedAttributeListTotalattribute to the replication agreement:
# dsconf -D "cn=Directory Manager" ldap://supplier.example.com repl-agmt set \ --suffix="suffix" --frac-list-total="accountUnlockTime" \ agreement_name
nsDS5ReplicatedAttributeListattribute must be set for incremental updates before
nsDS5ReplicatedAttributeListTotalcan be set for total updates.
15.10.2. The Replication Keep-alive Entry
keepalivetimestampattribute is updated on the supplier and replicated to the consumer. Because the
keepalivetimestampattribute is not excluded from replication, the update of the keep-alive entry is replicated, the CSN on the consumer is updated, and then equal to the one on the supplier. The next time the supplier connects to the consumer, only updates that are newer than the CSN on the consumer are searched. This reduces the amount of time spent by a supplier to search for new updates to send.
# ldapsearch -D "cn=Directory Manager" -b "dc=example,dc=com" -W -p 389 -h server.example.com -x 'objectClass=ldapsubentry' dn: cn=repl keep alive 1,dc=example,dc=com objectclass: top objectclass: ldapsubentry objectclass: extensibleObject cn: repl keep alive 1 keepalivetimestamp: 20181112150654Z
- When a fractional replication agreement skips more than 100 updates and does not send any updates before ending the replication session.
- When a supplier initializes a consumer, initially it creates its own keep-alive entry. A consumer that is also a supplier does not create its own keep-alive entry unless it also initializes another consumer.
15.10.3. Preventing "Empty" Updates from Fractional Replication
nsDS5ReplicatedAttributeList). However, a changed to an excluded attribute still triggers a modify event and generates an empty replication update.
nsds5ReplicaStripAttrsattribute adds a list of attributes which cannot be sent in an empty replication event and are stripped from the update sequence. This logically includes operational attribtes like
accountUnlockTimeattribute is excluded. John Smith's user account is locked and then the time period expires and it is automatically unlocked. Only the
accountUnlockTimeattribute has changed, and that attribute is excluded from replication. However, the operational attribute
internalmodifytimestampalso changed. A replication event is triggered because John Smith's user account was modified — but the only data to send is the new modify time stamp and the update is otherwise emtpy. If there are a large number of attributes related to login times or password expiration times (for example), this could create a flood of empty replication updates that negatively affect server performance or that interfere with associated applications.
nsds5ReplicaStripAttrsattribute to the replication agreement to help tune the fractional replication behavior:
# dsconf -D "cn=Directory Manager" ldap://supplier.example.com repl-agmt set \ --suffix="suffix" \ --strip-list="modifiersname modifytimestamp internalmodifiersname" \ agreement_name