On 10/30/2017 12:37 PM, Sergei Gerasenko wrote:
Hi Mark,

The replication is working. I wrote a script that makes a change on each member of the topology and verifies that it got to all the other members. So, it appears that all is good.

Yup, the monitor output looks good

Cool!

Okay, so FreeIPA uses fractional replication and stripped attributes.  In a freeipa deployment not all updates are replicated, and this is probably why the maxcsn's tend to drift (until you do an update that is replicated).  For example, in FreeIPA each kerberos login updates the database (and its RUV), but these updates not replicated via the fractional replication configuration - so the agmt maxcsn will not be incremented for such operations.
Anyway it all looks correct to me.

That’s VERY useful information. Thanks a ton. What are other examples of the events that could increment the local RUV?
Examples of the agmt maxcsn not getting updated are based on the your replication configuration.  You need to look at your replication agreements under cn=config. 

Look for:  nsDS5ReplicatedAttributeList

nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount

In this case any update to any one of these attributes is NOT replicated.  So if you update "memberOf", the agmt maxcsn will not advance while the database RUV did.

I think I found a small bug in the repl-monitor script, which however doesn’t affect its operation (miraculously). Is there a place to submit a patch for that?
https://pagure.io/389-ds-base/new_issue

Thanks,
Mark

Thanks again,
  Sergei