[Date Prev][Date Next]
Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
- From: firstname.lastname@example.org
- Date: Mon, 06 Jul 2015 17:12:14 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Thanks for the heads-up Quanah. Looks like you've found a serious
problem with multi-master replication, good to know about. In my case,
we're just using single-master replication, so we're able to dodge the
problem you describe for the time being.
Just to clarify though -- once ITS#8125 is resolved, this enhancement
shouldn't pose any additional problems for MMR sites, right?
On 07/06/2015 12:18 PM, Quanah Gibson-Mount wrote:
> I would note that:
> IF using delta-syncrepl
> AND the data values are replicated
> AND authentication attempts can occur against different LDAP masters
> You can run into *serious* drift between servers if you try and
> implement this, causing endless refresh mode runs that cause the
> servers to get further out of sync. See
> More specifically:
> If a client has (most often) a mobile device with a bad password, and
> it's authentication attempts are bouncing between masters, even with
> high resolution timestamps, you can get collisions in the delete op
> for old values that cannot be reconciled, causing fallback/refresh.
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> Zimbra :: the leader in open source messaging and collaboration