[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes

Thanks for the heads-up Quanah. Looks like you've found a serious 
problem with multi-master replication, good to know about. In my case, 
we're just using single-master replication, so we're able to dodge the 
problem you describe for the time being.

Just to clarify though -- once ITS#8125 is resolved, this enhancement 
shouldn't pose any additional problems for MMR sites, right?



On 07/06/2015 12:18 PM, Quanah Gibson-Mount wrote:
> I would note that:
> IF using delta-syncrepl
> AND the data values are replicated
> AND authentication attempts can occur against different LDAP masters
> You can run into *serious* drift between servers if you try and 
> implement this, causing endless refresh mode runs that cause the 
> servers to get further out of sync.  See 
> <http://www.openldap.org/its/index.cgi/?findid=8125>.
> More specifically:
> If a client has (most often) a mobile device with a bad password, and 
> it's authentication attempts are bouncing between masters, even with 
> high resolution timestamps, you can get collisions in the delete op 
> for old values that cannot be reconciled, causing fallback/refresh.
> --Quanah
> -- 
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration