matteomarocco Absent Member.
Absent Member.
380 views

Unidirectional Replica eDirectory 8.8

Hi everyone,

I would like to set an uni-directional replica on my edirectory. I have a Master replica and a read-only replica, but if I make modifications on the read-only replica, it affects the master (for example, if I create a user on the read-only replica, the user is created even on the Master).

Is it possible to have a replication only from the Master to the read-only, and not vice-versa? I read about Inherited Rights Filter but I can't find an application for this situation.

Can anyone help me?

Thank You
Labels (1)
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

On 2018-10-23 11:44, matteomarocco wrote:
>
> Hi everyone,
>
> I would like to set an uni-directional replica on my edirectory. I have
> a Master replica and a read-only replica, but if I make modifications on
> the read-only replica, it affects the master (for example, if I create a
> user on the read-only replica, the user is created even on the Master).
>
> Is it possible to have a replication only from the Master to the
> read-only, and not vice-versa? I read about Inherited Rights Filter but
> I can't find an application for this situation.
>
> Can anyone help me?
>
> Thank You
>
>

No I don't think it works that way.
The user is probably created on a R/W replica and replicated to your R/O
replica.
If you want a R/O situation make sure that they user you are logging in
with doesn't have any rights to create/write.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
matteomarocco Absent Member.
Absent Member.

Re: Unidirectional Replica eDirectory 8.8

alekz;2489262 wrote:
On 2018-10-23 11:44, matteomarocco wrote:
>
> Hi everyone,
>
> I would like to set an uni-directional replica on my edirectory. I have
> a Master replica and a read-only replica, but if I make modifications on
> the read-only replica, it affects the master (for example, if I create a
> user on the read-only replica, the user is created even on the Master).
>
> Is it possible to have a replication only from the Master to the
> read-only, and not vice-versa? I read about Inherited Rights Filter but
> I can't find an application for this situation.
>
> Can anyone help me?
>
> Thank You
>
>

No I don't think it works that way.
The user is probably created on a R/W replica and replicated to your R/O
replica.
If you want a R/O situation make sure that they user you are logging in
with doesn't have any rights to create/write.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

No, i created a test user on the R/O replica, not on the R/W.
But when i access the Master server, I can find the test user even on the Master.

What do you mean with "make sure that they user you are logging in
with doesn't have any rights to create/write."? The replica uses the Admin account for replication, but i cannot set the replica with an account that is not supervisor.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

>>>
>> No I don't think it works that way.
>> The user is probably created on a R/W replica and replicated to your
>> R/O
>> replica.
>> If you want a R/O situation make sure that they user you are logging in
>> with doesn't have any rights to create/write.



> No, i created a test user on the R/O replica, not on the R/W.
> But when i access the Master server, I can find the test user even on
> the Master.


So it clearly is NOT a read only replica, if you were about to write to it.

> What do you mean with "make sure that they user you are logging in
> with doesn't have any rights to create/write."? The replica uses the
> Admin account for replication, but i cannot set the replica with an
> account that is not supervisor.


Not everyone uses teh Admin account, nor should they. Restrict access.
If no one has permission to modify the replica, then no one can.

Replicas do not use accounts for replication that is a backend process
(Servers auth to each other over NCP).

0 Likes
matteomarocco Absent Member.
Absent Member.

Re: Unidirectional Replica eDirectory 8.8

Ok, maybe I'm not being clear.

I have a replica where I want to make changes, but I don't want that changes to go on the Master replica; but the changes made on the Master replica must go on the replica I created.

So an uni-directional flow that goes only from the master to my secondary replica, but I must be able to make changes (create, modify ecc) on both the servers.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

On 10/23/2018 05:24 AM, matteomarocco wrote:
>
> Ok, maybe I'm not being clear.
>
> I have a replica where I want to make changes, but I don't want that
> changes to go on the Master replica; but the changes made on the Master
> replica must go on the replica I created.


What you are describing is a separate tree. eDirectory doe snot allow
normal, replicate-able, changes to be written on one box without
replicating them to another box. There is a read-only replica type, but
that means it is really read-only, meaning you cannot write to it at all
directly, though changes made to non-read-only replicas will replicate to
it to keep it up to date.

If you need to have something that is out of sync like this, create a
separate tree and synchronize from one to the other (but not the other way
around) using Identity Manager (IDM) for which there is a dedicated
engine/drivers forum on this same forum server.

> So an uni-directional flow that goes only from the master to my
> secondary replica, but I must be able to make changes (create, modify
> ecc) on both the servers.


It may be useful to understand the business case behind this, but see
above for how to do it.

I suppose I should add a caveat that if you want you can partition off the
portion of your tree which should not be replicated back to the first
server and then ONLY host it on the one that is writable, but that's
risky, and not really how I interpret what you want.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

This is fortunately impossible in a sophisticated directory service as it would be a programatic highway to inconsistency and data corruption (which MAD delivers out-of-the-box). Imagine you'd create userA on a replica residing on let's say serverB which wouldn't sync to serverA. Later on someone creates another object userA (in the same context) on serverA which DOES sync to serverB. Which object should "win"?
We have, of course, mechanisms in edirectory to handle such situations (which could e.g. occur if the servers are located in different sites and the WAN link is broken), but you'd never want to have such an offset intentionally.
What are you trying to accomplish?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

On 10/23/2018 7:24 AM, matteomarocco wrote:
>
> Ok, maybe I'm not being clear.
>
> I have a replica where I want to make changes, but I don't want that
> changes to go on the Master replica; but the changes made on the Master
> replica must go on the replica I created.


Nope. That breaks the replication model.

Now, it is possible you want different values on different replicas, in
which case eDir has a schema flag called Per Server that IDM uses quite
heavily.

for example, an IDM driver can be in a driver set that has 6 servers.
But only runs on one. So IDM uses an eDir attribute called
DirXML-DriverStartOption.

So on replica/server1, it is set to Auto. On Server2-6 it is set to
Disabled. This is allowed because of the odd schema flag.

If that is what you are looking for, consider that.

But breaking replication is kind of a terrible idea.


> So an uni-directional flow that goes only from the master to my
> secondary replica, but I must be able to make changes (create, modify
> ecc) on both the servers.


That is easy. No.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

On 2018-10-23 12:26, matteomarocco wrote:
>
> alekz;2489262 Wrote:
>> On 2018-10-23 11:44, matteomarocco wrote:
>>>
>>> Hi everyone,
>>>
>>> I would like to set an uni-directional replica on my edirectory. I

>> have
>>> a Master replica and a read-only replica, but if I make modifications

>> on
>>> the read-only replica, it affects the master (for example, if I create

>> a
>>> user on the read-only replica, the user is created even on the

>> Master).
>>>
>>> Is it possible to have a replication only from the Master to the
>>> read-only, and not vice-versa? I read about Inherited Rights Filter

>> but
>>> I can't find an application for this situation.
>>>
>>> Can anyone help me?
>>>
>>> Thank You
>>>
>>>

>> No I don't think it works that way.
>> The user is probably created on a R/W replica and replicated to your
>> R/O
>> replica.
>> If you want a R/O situation make sure that they user you are logging in
>> with doesn't have any rights to create/write.
>>
>> --
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.

> No, i created a test user on the R/O replica, not on the R/W.
> But when i access the Master server, I can find the test user even on
> the Master.
>
> What do you mean with "make sure that they user you are logging in
> with doesn't have any rights to create/write."? The replica uses the
> Admin account for replication, but i cannot set the replica with an
> account that is not supervisor.
>
>

According to the book "Novell's Guide to Troubleshooting eDirectory by
Henderson/Kuo":

<begin>
The Read-Only (R/O) replica type is seldom-if ever-used.
<snip>
Use of R/O replicas is strongly discouraged.
<snip>
Any change directed at a server that holds an R/O replica of a partition
would end up being redirected by the server to a server with a
Read/Write or Master replica. The change would then by synchronized back
to the server holding the R/O replica, through the normal
synchronization process.
</end>
--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unidirectional Replica eDirectory 8.8

> According to the book "Novell's Guide to Troubleshooting eDirectory by
> Henderson/Kuo":


Quoting those slackers, who wrote the definitive book on the topic. Bah,
how off topic can you get? 🙂 Good find.

> <begin>
> The Read-Only (R/O) replica type is seldom-if ever-used.
> <snip>
> Use of R/O replicas is strongly discouraged.
> <snip>
> Any change directed at a server that holds an R/O replica of a partition
> would end up being redirected by the server to a server with a
> Read/Write or Master replica. The change would then by synchronized back
> to the server holding the R/O replica, through the normal
> synchronization process.
> </end>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.