>From 8da23a1249fe53c4c430869c2bd4646970680672 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <>
Date: Thu, 17 Mar 2016 12:09:42 +0100
Subject: [PATCH] DS deadlock when memberof scopes topology plugin updates

Topology plugin may merge (aka DEL) segments that would trigger
internal search for groups owning that segment. The problem
is that it is searching those groups into the full suffix and
so need the schema compat map lock.

If any other operation holding schema compat map lock need to
access the page involved in the DEL, there is a deadlock.

This fix is to prevent useless group searching if the target entry
is a segment or is in compat tree.
 install/updates/20-syncrepl.update | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index 8b02133f5a755d599915d76682cf9fe6e3565768..faa13f645f492ea35824fe57632b56d52afa8a6e 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -11,7 +11,9 @@ add:nsslapd-exclude-suffix: o=ipaca
 # indices for cn=changelog.
 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 add:memberofentryscope: $SUFFIX
+add:memberofentryscopeexcludesubtree: cn=compat,$SUFFIX
 add:memberofentryscopeexcludesubtree: cn=provisioning,$SUFFIX
+add:memberofentryscopeexcludesubtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
 dn: cn=referential integrity postoperation,cn=plugins,cn=config
 add:nsslapd-plugincontainerscope: $SUFFIX

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to