URL: https://github.com/freeipa/freeipa/pull/1185 Author: abbra Title: #1185: Time skew support Action: opened
PR body: """ Backport for ipa-4-6, waiting for the CI to complete. The original pull request 1155 was already pushed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1185/head:pr1185 git checkout pr1185
From 4bd1e2e7a27d88d086f2da56f9d41d11ba011fdd Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 16 Oct 2017 13:32:38 +0300 Subject: [PATCH 1/2] ds: ignore time skew during initial replication step Initial replica creation can go with ignoring time skew checks. We should, however, force time skew checks during normal operation. Fixes https://pagure.io/freeipa/issue/7211 Reviewed-By: Rob Crittenden <rcrit...@redhat.com> --- install/share/Makefile.am | 1 + install/share/replica-prevent-time-skew.ldif | 4 ++++ ipaserver/install/dsinstance.py | 24 ++++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 install/share/replica-prevent-time-skew.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 41fdae4ac4..62d38e3e0e 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -38,6 +38,7 @@ dist_app_DATA = \ default-trust-view.ldif \ delegation.ldif \ replica-acis.ldif \ + replica-prevent-time-skew.ldif \ ds-nfiles.ldif \ dns.ldif \ dnssec.ldif \ diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif new file mode 100644 index 0000000000..5d301feddb --- /dev/null +++ b/install/share/replica-prevent-time-skew.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-ignore-time-skew +nsslapd-ignore-time-skew: $SKEWVALUE diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 65762e72b7..0b05335179 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -393,7 +393,21 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("restarting directory server", self.__restart_instance) self.step("creating DS keytab", self.request_service_keytab) + + # 389-ds allows to ignore time skew during replication. It is disabled + # by default to avoid issues with non-contiguous CSN values which + # derived from a time stamp when the change occurs. However, there are + # cases when we are interested only in the changes coming from the + # other side and should therefore allow ignoring the time skew. + # + # This helps with initial replication or force-sync because + # the receiving side has no valuable changes itself yet. + self.step("ignore time skew for initial replication", + self.__replica_ignore_initial_time_skew) + self.step("setting up initial replication", self.__setup_replica) + self.step("prevent time skew after initial replication", + self.replica_manage_time_skew) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("updating schema", self.__update_schema) # See LDIFs for automember configuration during replica install @@ -933,6 +947,16 @@ def __add_delegation_layout(self): def __add_replication_acis(self): self._ldap_mod("replica-acis.ldif", self.sub_dict) + def __replica_ignore_initial_time_skew(self): + self.replica_manage_time_skew(prevent=False) + + def replica_manage_time_skew(self, prevent=True): + if prevent: + self.sub_dict['SKEWVALUE'] = 'off' + else: + self.sub_dict['SKEWVALUE'] = 'on' + self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict) + def __setup_s4u2proxy(self): self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict) From 433c3b4f2d1241f9895c9cd4bc183bf8bffe41fe Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 16 Oct 2017 13:46:38 +0300 Subject: [PATCH 2/2] ipa-replica-manage: implicitly ignore initial time skew in force-sync When performing force synchronization, implicitly ignore initial time skew (if any) and restore it afterwards. This also changes semantics of force-sync by waiting until the end of the initial replication. Fixes https://pagure.io/freeipa/issue/7211 Reviewed-By: Rob Crittenden <rcrit...@redhat.com> --- install/tools/ipa-replica-manage | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 102addbdbd..56ec73aabf 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -1235,8 +1235,14 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False): repl = replication.ReplicationManager(realm, thishost, dirman_passwd) repl.force_sync(repl.conn, fromhost) else: + ds = dsinstance.DsInstance(realm_name=realm) + ds.ldapi = os.getegid() == 0 + ds.replica_manage_time_skew(prevent=False) repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) repl.force_sync(repl.conn, thishost) + agreement = repl.get_replication_agreement(thishost) + repl.wait_for_repl_init(repl.conn, agreement.dn) + ds.replica_manage_time_skew(prevent=True) def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False, nolookup=False):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
