Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 450973 - rhds80 account accountunlocktime attribute breaks replication
Summary: rhds80 account accountunlocktime attribute breaks replication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Replication - General
Version: 8.0
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 442560 (view as bug list)
Depends On:
Blocks: FDS112
TreeView+ depends on / blocked
 
Reported: 2008-06-11 23:53 UTC by Issue Tracker
Modified: 2018-10-20 02:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-27 20:38:47 UTC


Attachments (Terms of Use)
diffs (deleted)
2008-06-23 16:45 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (deleted)
2008-06-23 18:39 UTC, Rich Megginson
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0602 normal SHIPPED_LIVE Moderate: redhat-ds-base and redhat-ds-admin security and bug fix update 2008-08-27 20:38:30 UTC

Description Issue Tracker 2008-06-11 23:53:57 UTC
Escalated to Bugzilla from IssueTracker

Comment 12 Rich Megginson 2008-06-20 20:16:46 UTC
Looks like there is a bug.  The problem is two fold:
1) The supplier ignores the isglobalpolicy setting - it attempts to send the
attributes
which would be ok except for
2) The consumer rejects mod operations that contain no valid modifications with
err=53.  The consumer does honor the isglobalpolicy setting, removes the invalid
mods from the mod list, finds there are no mods left, and returns with err=53. 
The supplier does not recover from this error due to a bug in the async result
handling code.

Comment 13 Rich Megginson 2008-06-23 16:45:55 UTC
Created attachment 310042 [details]
diffs

This is for the actual bug - replication should not break.  This fixes a bug in
the replication error handling code so that replication will continue after
getting the err=53 from the consumer.

The other part of this fix is to simply not replicate those attributes.  I
believe this can be done by using fractional replication and adding the
attributes passwordRetryCount retryCountResetTime accountUnlockTime to the list
of attributes to not replicate.  This will only work with the redhat-ds-base
8.0.0-13 or later - i.e. if you have installed redhat-ds-base but not upgraded
to the latest one available in RHN, you need to do so, or fractional
replication between masters will not work.

Comment 14 Rich Megginson 2008-06-23 16:48:56 UTC
Correction - the fractional MMR fix is in 8.0.0-14 or later, not -13.

Comment 15 Rich Megginson 2008-06-23 18:39:23 UTC
Created attachment 310060 [details]
cvs commit log

Reviewed by: nhosoi (Thanks!)
Fix Description: We were not handling errors returned from the consumer
correctly in the async replication code.  The problem was that we were exiting
the async read results thread immediately.  However, we needed to wait for and
read all of the outstanding responses, then exit the thread when all of them
had been read.	The new code handles this case correctly, allowing us to read
all of the pending responses before exiting.

The flip side of this is that passwordIsGlobalPolicy only works on the
_consumer_.  It has no effect whatsoever on the _supplier_ side of replication.
 The fix for this is to configure fractional replication _always_ and to add
the password policy op attrs to the list of attrs not to replicate.  This
should work fine with RHDS 8.0.0-14 and later.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes.  We will need to document exactly how passwordIsGlobalPolicy
works and how to configure fractional replication.
QA impact: Will need to do more testing of MMR with account lockout to make
sure this error does not blow up MMR anymore.
New Tests integrated into TET: Working on it.

Comment 17 Rich Megginson 2008-06-23 23:12:03 UTC
*** Bug 442560 has been marked as a duplicate of this bug. ***

Comment 24 errata-xmlrpc 2008-08-27 20:38:47 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0602.html


Note You need to log in before you can comment on or make changes to this bug.