On 20/07/15 19:04, Mark Reynolds wrote:

On 07/20/2015 12:50 PM, Martin Basti wrote:
On 20/07/15 17:48, Petr Vobornik wrote:
On 07/20/2015 05:24 PM, Rob Crittenden wrote:
Martin Basti wrote:

Patch attached.

Is this going to be a shock on upgrades for people who until now may be
relying on the fact that there is no limit?

Not making any point, but have to note: Ludwig raised a question on users list but there was no feedback from users.


Should there be a way for an admin to manage this, via the config module

IMHO this is a significant change and red flags need to be raised so
users are aware of it.


IIUC there is purge delay 7 days, so if changelog max age is 7 or more days, it will not break replication.
The issue is if somebody uses changelog for different purpose, right?
Well the replication changelog can not be used for anything else but the multimaster replication plugin. If a customer increased the replication purge delay you could potentially run into issues, but again this only comes into play when a replica is down for a very long time. I'm not sure if IPA even provides the option to adjust the replication purge delay, but that doesn't mean a customer can not adjust these settings on their own.


I'm attaching new patch, that modifies behavior of 'addifnew' keyword in update files.
addifnew will no create new entry if doesn't exist.
This is required for proper working of patch 292

Rob are you okay with these patches, as Mark wrote, changelog is used only for replication plugins, so it should not cause any issues to users.


Martin Basti

From 257a3d77fe25e47b944978ff9aab77d56465cc1f Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 20 Jul 2015 16:36:45 +0200
Subject: [PATCH] Limit max age of replication changelog

Limit max age of replication changelog to seven days, instead of grow to
unlimited size.

 install/updates/20-replication.update | 4 ++++
 ipaserver/install/replication.py      | 1 +
 2 files changed, 5 insertions(+)

diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update
index 066b9fcd4933864cdcbc451897c98063bdf55bbe..83d5d1f0c7c083e0c55c3e38a5be729d55b4e828 100644
--- a/install/updates/20-replication.update
+++ b/install/updates/20-replication.update
@@ -27,3 +27,7 @@ default: objectclass: top
 default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: $SUFFIX
 default: cn: realm
+# Set replication changelog limit (#5086)
+dn: cn=changelog5,cn=config
+addifnew: nsslapd-changelogmaxage: 7d
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e9af88dc4356d4fd5495f4fea399ab09c75db953..b3c391383352970d2ca89e1a333315ed1a47dea1 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -466,6 +466,7 @@ class ReplicationManager(object):
                 'objectclass': ["top", "extensibleobject"],
                 'cn': ["changelog5"],
                 'nsslapd-changelogdir': [os.path.join(dbdir, "cldb")],
+                'nsslapd-changelogmaxage': ['7d'],

From 5901a61d995dbed500fe728b45a89a1c96a1f06e Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jul 2015 18:13:44 +0200
Subject: [PATCH] Server Upgrade: addifnew should not create entry

addifnew should add value only if entry exists, instead of creating
 ipaserver/install/ldapupdate.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6f796dfdc8bbac1bb99a8b5a1bd5a6aaa778db16..eaef77b2cd215a946c30787aa32e939bd9c297a7 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -669,8 +669,8 @@ class LDAPUpdate:
             elif action == 'addifnew':
                 self.debug("addifnew: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
                 # Only add the attribute if it doesn't exist. Only works
-                # with single-value attributes.
-                if len(entry_values) == 0:
+                # with single-value attributes. Entry must exist.
+                if entry.get('objectclass') and len(entry_values) == 0:
                     self.debug('addifnew: set %s to %s', attr, safe_output(attr, entry_values))
                     entry[attr] = entry_values

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to