[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication

--On Friday, October 12, 2018 5:27 PM +0000 quanah@symas.com wrote:

> So this should succeed, and yet it fails.  Need to figure out why.

I dug into this further with Ondrej, and the issue is that ppolicy was 
never updated to work correctly in a delta-sync MMR environment. ppolicy on 
the receiving server currently has logic to test if it is a shadow (i.e., 
replica) and if so, change its behavior.  But there is no similar logic to 
handle the case if the receiving server is an MMR node (i.e., a shadow and 
a master).

The following 3 changes to the code base for ppolicy would alleviate this 
issue and other potential issues:

- test we're a replicated op, not just on shadow
- issue MOD_REPLACE (concurrent binds could have cleared that attribute on 
the other servers)
- expect MOD_REPLACE as well as MOD_DELETE on replicated ops



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: