Apparently, the function `memberof_del_dn_from_groups()` updates the `member` attribute:
/* Deletes a member DN from all groups that refer to it. */ static int memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_DN *sdn) It uses the `memberofgroupattr` configuration parameter from the MemberOf plugin: memberofgroupattr: member memberofgroupattr: memberUser memberofgroupattr: memberHost memberofgroupattr: ipaOwner This function is called when deleting entries, including during deferred updates: https://github.com/389ds/389-ds-base/blob/main/ldap/servers/plugins/memberof/memberof.c#L644 --- Regarding the updates with CSNs `68edda59000000030000` and `68edda59000100030000`: At first, I also suspected that they were caused by the referential integrity update replication. However, after excluding the `member` attribute from referential integrity, the duplicate modify operations still appear on both replicas. Here’s what I did to exclude `member` from the Referential Integrity plugin: ldapmodify -D "cn=Directory Manager" -W <<EOF dn: cn=referential integrity postoperation,cn=plugins,cn=config changetype: modify delete: referint-membership-attr referint-membership-attr: member EOF Then I deleted the test user, and the result was: dbid: 68f0fb0d000000040000 operation: delete dn: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc dbid: 68f0fb0d000100040000 operation: delete dn: cn=integrity-fix,cn=groups,cn=accounts,dc=test,dc=loc dbid: 68f0fb0d000300040000 operation: modify dn: cn=ipausers,cn=groups,cn=accounts,dc=test,dc=loc member: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config dbid: 68f0fb0e000000030000 operation: modify dn: cn=ipausers,cn=groups,cn=accounts,dc=test,dc=loc member: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config As you can see, the duplicate `modify` operations on the group are triggered by the MemberOf plugin itself, even when the Referential Integrity plugin is excluded from handling the `member` attribute. -- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
