The issue with calendar alarms

[Bron Gondwana]

Calendar alarms and replication are a real problem for the
following reason:
1) calalarmd needs to only run on the master, not the replica -
   otherwise the alarm will fire on both, and the alarmd on the replica
   will write annotations, causing split brain issues.
2) the caldav_alarms.sqlite3 database on the replica needs to have all
   the nextalarm values in sync with the master, so if there's a
   failover event, the calalarmd on the ex-replica knows which records
   are interesting without having to parse every single mailbox!
3) replication and annotations is a disaster - the record gets written
   first, and the annotations later.
So we solve this as follows:

a) if record.silent is set, we don't write the caldav_alarms.sqlite3
   event line for the record immediately.
b) AFTER we have applied both the record and any annotations for the
   record in sync_support.c, we call caldav_alarm_touch_record(), which
   can then read the annotation to see when the nextalarm should be.
The problem is this: if there's already a nextalarm value, and we change
a record to have an earlier alarm for whatever reason, the alarm
annotation just gets copied by dav_store_resource to the new record, and
hence there's already a nextalarm in the future.  This OVERWRITES the
earlier alarm value created by caldav_alarm_new_record().
The fix is this: instead of blindly overwriting,
caldav_alarm_touch_record needs to have two modes: sync mode and non-
sync mode.
In sync mode, it's a replica - so it just does what it does now -
blindly writes the value from the annotation.
In non-sync mode, it instead always reads the record (plus any per-user
overrides) and finds the time that it next needs to be checked.
Easy-peasy :)  I might even just call it two different things to make it
extra clear what's going on!
Bron.

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  br...@fastmailteam.com

Re: SASL 2.1.27 rc6

[Ken Murchison]

It looks like Dan White may have found and tested a fix for the 
ldaps+GSSAPI issues in the tracker.  I'd like to have some peer review 
of this before I cut the final release on the morning of the 31st 
(US/Eastern time).



On 12/22/2017 01:03 PM, Ken Murchison wrote:
Unfortunately, I don't know where to look.  Alexey knows way more 
about GSS that I do.  I do recall from my time at CMU that the kerb 
libraries seem to suck at error reporting/logging.



On 12/22/2017 11:49 AM, Dan White wrote:

Ken,

I'm running in to this:

additional info: SASL(-1): generic failure: Unable to find a 
callback: 32775


from:

https://github.com/cyrusimap/cyrus-sasl/issues/464

but with GSSAPI, and not GSS-SPNEGO.

In the following scenarios:

ldapwhoami/heimdal -> slapd/mit
ldapwhoami/heimdal -> slapd/heimdal
ldapwhoami/heimdal -> Microsoft AD

But these work:

ldapwhoami/mit -> slapd/mit
ldapwhoami/mit -> MS AD

I can set security properties with the libldab library (ldap.conf(5)). I
tried playing around with maxbufsize, since there are hints that may be
related when searching on google, but it had no effect.

All Heimdal tests are using version 7.5.0, manually compiled.

Do you have suggestions of where to debug?

On 12/20/17 10:14 -0600, Dan White wrote:

Ken,

I'll try to lab up my original test case (for bug 3480) tomorrow
evening.

On 12/20/17 11:00 -0500, Ken Murchison wrote:

We haven't had much, if any, feedback on this release candidate.

Do the GSSAPI/LDAP folks have any further comments on 
https://github.com/cyrusimap/cyrus-sasl/issues/419


I'd really like to make a final release by Christmas as promised, 
but I also don't want to make a release that folks will have to 
patch immediately.






--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd