[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue
From: Beth Halsema <bhalsema@purdue.edu>
Date: Thu, 12 Jan 2017 10:20:04 -0500 (EST)
Cc: OpenLDAP Technical List <openldap-technical@openldap.org>
In-reply-to: <1954B6136249F7D9C5465158@[192.168.1.30]>
References: <alpine.LRH.2.20.1701090949350.18853@yrffn.vgfc.cheqhr.rqh> <WM!c368ec67d2f9aeb4199d3a29f7bba7feecba9c575c4ae18fcc66e6e3fcc859a413dd001aeda94c542ae650379824113f!@mailstronghold-3.zmailcloud.com> <1954B6136249F7D9C5465158@[192.168.1.30]>
User-agent: Alpine 2.20 (LRH 67 2015-01-07)

On Mon, 9 Jan 2017, Quanah Gibson-Mount wrote:

> Date: Mon, 9 Jan 2017 12:46:58
> To: Beth Halsema <bhalsema@purdue.edu>,
>     OpenLDAP Technical List <openldap-technical@openldap.org>
> From: Quanah Gibson-Mount <quanah@symas.com>
> Subject: Re: ppolicy overlay and MMR experiencing frequent delta-sync lost
>     issue
> 
> --On Monday, January 09, 2017 9:53 AM -0500 Beth Halsema <bhalsema@purdue.edu>
> wrote:
> 
> > We have submitted OpenLDAP-ITS #8561 with a unit test and a possible
> > patch to the ppolicy overlay.
> > 
> > If anyone else has run into this, we would be interested in any other
> > work- arounds that have been used to address the issue.
> 
> Hi Beth,
> 
> I'm guessing that ppolicy is writing items that are not supposed to be
> replicated to the accesslog.  This issue (ITS8561) and ITS8444 I think are
> generally similar items, in that while the accesslog is writing all write
> operations, replication requires that some write operations not be present in
> the accesslog.  I'll be discussing with the other team members on how best to
> handle what are somewhat conflicting requirements.
> 
> Regards,
> Quanah

Quanah, are you suggesting that the ppolicy attributes (i.e. pwdGraceUseTime, 
pwdFailureTime, etc.) not be replicated?  

If so, that would make me sad.  :)  I believe that their replication is
quite beneficial for OpenLDAP clusters toward avoiding:

	1. The behavior being inconsistent, depending on which node is
	   used  (one node locks out, while the others haven't yet
	   reached that state).
	2. A user potentially having pwdMaxFailure * (the number of nodes
	   in the cluster) failures before being locked out.

If not, then I am no longer sad.  :)

I appreciate your time and effort.

Thank you,
Beth
-------------------------------------------------------------------------
Beth A. Halsema - GSEC, GSSP-Java          email:bhalsema@purdue.edu
Sofware Engineer, Identity & Access Management
OVPIT - IT Security and Policy
3495 Kent Avenue, Suite 100                Fax  :  (765) 464-2233
West Lafayette, IN  47906                  Campus Mail:  ROSS

References:
- ppolicy overlay and MMR experiencing frequent delta-sync lost issue
  - From: Beth Halsema <bhalsema@purdue.edu>
- Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Slapd.conf for doing stress
Next by Date: Re: Slapd.conf for doing stress
Index(es):
- Chronological
- Thread