[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication
From: quanah@symas.com
Date: Fri, 12 Oct 2018 17:32:52 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Friday, October 12, 2018 5:27 PM +0000 quanah@symas.com wrote:

> So this should succeed, and yet it fails.  Need to figure out why.

I dug into this further with Ondrej, and the issue is that ppolicy was 
never updated to work correctly in a delta-sync MMR environment. ppolicy on 
the receiving server currently has logic to test if it is a shadow (i.e., 
replica) and if so, change its behavior.  But there is no similar logic to 
handle the case if the receiving server is an MMR node (i.e., a shadow and 
a master).

The following 3 changes to the code base for ppolicy would alleviate this 
issue and other potential issues:

- test we're a replicated op, not just on shadow
- issue MOD_REPLACE (concurrent binds could have cleared that attribute on 
the other servers)
- expect MOD_REPLACE as well as MOD_DELETE on replicated ops


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication
Next by Date: Re:Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated
Index(es):
- Chronological
- Thread