Re: [Freeipa-devel] [PATCH] 957 don't always run memberof_init on re-initialize
JR Aquino wrote: On Feb 22, 2012, at 11:26 AM, Rob Crittenden wrote: We include memberof when doing a total sync so there is no need to re-run the memberOf task in ipa-replica-manage re-initialize unless the agreement doesn't set nsDS5ReplicatedAttributeListTotal. rob ACK Patch tested and clean pushed to master and ipa-2-2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 957 don't always run memberof_init on re-initialize
On Feb 22, 2012, at 11:26 AM, Rob Crittenden wrote: > We include memberof when doing a total sync so there is no need to re-run the > memberOf task in ipa-replica-manage re-initialize unless the agreement > doesn't set nsDS5ReplicatedAttributeListTotal. > > rob ACK Patch tested and clean ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 957 don't always run memberof_init on re-initialize
On Feb 22, 2012, at 7:10 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On Feb 22, 2012, at 11:26 AM, Rob Crittenden wrote: >> >>> We include memberof when doing a total sync so there is no need to re-run >>> the memberOf task in ipa-replica-manage re-initialize unless the agreement >>> doesn't set nsDS5ReplicatedAttributeListTotal. >>> >>> rob >>> ___ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> NACK >> >> :/ >> >> When using this patch, it seems to provide the replica with >> nsDS5ReplicatedAttributeList but omits the nsDS5ReplicatedAttributeListTotal >> which causes / triggers the memberof. The current 2.1.4 has the opposite >> problem... It HAS nsDS5ReplicatedAttributeListTotal but does not have >> nsDS5ReplicatedAttributeList... So when it adds all the memberof data, the >> replica replicates all that info back to the master and anyone else in the >> replica party. >> >> -JR > > 2.1.4 doesn't set nsDS5ReplicatedAttributeListTotal. Ah. I see my problem I am running my 2.1.4 with 7351780552f5d21d8d92fd2f08aedf4985a3c926 (Replication: Adjust replica installation to omit processing memberof computations) cherry picked So in that case, it means... yes your patch appropriately runs a fixup because the Total is missing without other patches. I suppose I need to do a build with both patches present to get a clear confirmation that both patches are critical to optimize the replication process. I will do a follow up tomorrow. I suspect this is an easy ack > > This patch doesn't add anything, it just doesn't run the memberof task if > nsDS5ReplicatedAttributeListTotal is defined. Since you don't have this > attribute set then that's why it isn't working. > > To test in 2.1.4 after the agreement is set up you can add this with > something like this (untested, YMMV): > > # ldapmodify -x -D 'cn=directory manager' -W > dn: > cn=meTomaster.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping > tree,cn=config > changetype: modify > add: nsDS5ReplicatedAttributeList > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > > So the steps would be: > > 1. Install master > 2. Install replica > 3. Update agreement as above (if needed) > 4. Make sure patch is applied > 5. ipa-replica-manage re-initialize replica.example.com > > You should not see a memberof storm. > > rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 957 don't always run memberof_init on re-initialize
JR Aquino wrote: On Feb 22, 2012, at 11:26 AM, Rob Crittenden wrote: We include memberof when doing a total sync so there is no need to re-run the memberOf task in ipa-replica-manage re-initialize unless the agreement doesn't set nsDS5ReplicatedAttributeListTotal. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK :/ When using this patch, it seems to provide the replica with nsDS5ReplicatedAttributeList but omits the nsDS5ReplicatedAttributeListTotal which causes / triggers the memberof. The current 2.1.4 has the opposite problem... It HAS nsDS5ReplicatedAttributeListTotal but does not have nsDS5ReplicatedAttributeList... So when it adds all the memberof data, the replica replicates all that info back to the master and anyone else in the replica party. -JR 2.1.4 doesn't set nsDS5ReplicatedAttributeListTotal. This patch doesn't add anything, it just doesn't run the memberof task if nsDS5ReplicatedAttributeListTotal is defined. Since you don't have this attribute set then that's why it isn't working. To test in 2.1.4 after the agreement is set up you can add this with something like this (untested, YMMV): # ldapmodify -x -D 'cn=directory manager' -W dn: cn=meTomaster.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: nsDS5ReplicatedAttributeList nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount So the steps would be: 1. Install master 2. Install replica 3. Update agreement as above (if needed) 4. Make sure patch is applied 5. ipa-replica-manage re-initialize replica.example.com You should not see a memberof storm. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 957 don't always run memberof_init on re-initialize
On Feb 22, 2012, at 11:26 AM, Rob Crittenden wrote: > We include memberof when doing a total sync so there is no need to re-run the > memberOf task in ipa-replica-manage re-initialize unless the agreement > doesn't set nsDS5ReplicatedAttributeListTotal. > > rob > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK :/ When using this patch, it seems to provide the replica with nsDS5ReplicatedAttributeList but omits the nsDS5ReplicatedAttributeListTotal which causes / triggers the memberof. The current 2.1.4 has the opposite problem... It HAS nsDS5ReplicatedAttributeListTotal but does not have nsDS5ReplicatedAttributeList... So when it adds all the memberof data, the replica replicates all that info back to the master and anyone else in the replica party. -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
