Hi,

we use the referential integrity plug-in successfully in the configuration of 3 replicated read-write master servers. The plug-in is enabled on each server, the configuration is :

dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: referential integrity postoperation
nsslapd-pluginPath: libreferint-plugin
nsslapd-pluginInitfunc: referint_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: 3600
nsslapd-pluginarg1: /Local/dirsrv/var/lib/dirsrv/slapd-ens/db/refer_integrity_
 log
nsslapd-pluginarg2: 0
nsslapd-pluginarg3: ou
nsslapd-pluginarg4: member
nsslapd-pluginarg5: uniquemember
nsslapd-pluginarg6: owner
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: referint
nsslapd-pluginVersion: 1.1.3
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: referential integrity plugin
nsslapd-pluginarg7: seeAlso
nsslapd-pluginarg8: manager
nsslapd-pluginarg9: secretary


The attributes monitored by the plug-in in our case are, as you can see :
ou
member
uniquemember
owner
seeAlso
manager
secretary

We have also put a 1-hour (3600s) pause between the modification of the attribute and the cascading changes in referencing attributes. It is a precaution in case the modification was erroneous, in this case we can delete the referint  file to avoid the trigger of changes.

All these attributes contain the DN of other entries. It is important. I am not sure that your "memberuid" attribute contains the WHOLE DN (not just the RDN part). Your /var/log/dirsrv/slapd-us72/referint file should be writeable by the user of the ldap server (as well as the folder /var/log/dirsrv/slapd-us72/). The file is created automatically, you don't need to do anything manually. The plug-in should also be activated (be default i think it is disabled).

There is however a bug in the plug-in - only the first rename of the entry will be taken into account (https://bugzilla.redhat.com/show_bug.cgi?id=431607). So for the production purposes we use the patched version.


Hope it helps you...




2009/2/3 Tim Hartmann <hartmann@fas.harvard.edu>
John A. Sullivan III wrote:
> Hi, Tim.  I didn't have time to peruse this (still under a nasty
> deadline) but I was looking for one thing I didn't see in your post.
> I'm pulling this from memory so please double check it but did you
> enable the presence attribute (?) for indexing on all the items listed i
> the referential integrity plugin?
>
> By the way, if I might mention it, would you kindly post to the bottom
> of future threads.  Top posting makes it very difficult for newcomers to
> the list to follow.  Thanks - John
>
>

Whoops! Clearly an indication of my own newness! Bottom posting it shall
be!

Presence shows up as enabled by default in the index that I created.
When I created the the index for memberuid both "equality" and
"presence" were preselected, so I figured I'd just stick with the defaults.

No worries about time, thank you very much for looking at this with me
at all!  I'll look forward to hearing from you when time permits!

Tim