Bug 1405257

Summary: Setting nsDS5ReplicatedAttributeList nsDS5ReplicatedAttributeListTotal on replication agreements does not work
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Atkisson <batkisso>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: mreynolds, nhosoi, nkinder, rmeggins, sramling, tbordaz
Target Milestone: pre-dev-freeze   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 21:12:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
lib389 reproducible test case
none
Patch for 1405257 none

Description Brian J. Atkisson 2016-12-16 00:18:44 UTC 
Description of problem:
Per the docs (https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10.1/html/Administration_Guide/managing-fractional-repl.html#fractional-repl-total):

If both nsDS5ReplicatedAttributeList and nsDS5ReplicatedAttributeListTotal are set, then nsDS5ReplicatedAttributeList only applies to incremental updates. 

I have the following set on two masters when using the memberOf plugin:

nsDS5ReplicatedAttributeListTotal: (objectclass=*)
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberOf

Per the docs, I would expect:

- memberOf to be replicated to a new master on a full init
- memberOf to be excluded from that point forward and memberOf to be managed by each master separately

However, in this configuration, memberOf does not get replicated on a full init, nor on future updates.  This results in having to run fixup-memberof.pl immediately after performing a reinit.
Comment 1 Noriko Hosoi 2016-12-16 00:46:48 UTC 
Hi Brian,

I assume you are observing the problem on 389-ds-base-1.3.5 on rhel-7.3.  

Is this the version you are running?
389-ds-base-1.3.5.10-12.el7_3.bz1391700.x86_64

And is this a regression?

Thanks!
--noriko
Comment 2 Brian J. Atkisson 2016-12-16 02:27:48 UTC 
This is 389-ds-base-1.3.5.10-12.el7_3.bz1391700.x86_64

I do not know if this is a regression, it is the first time I'm trying to use this feature.

Thanks!
Comment 4 thierry bordaz 2016-12-19 17:35:44 UTC 
I can reproduce the described behavior with the attached lib389 test case.

The problem resides in agmt_get_fractional_attrs_total. If frac_attrs_total contains no attributes, then it is empty. It assumes that empty frac_attr_total is a consequence of 'nsDS5ReplicatedAttributeListTotal' being not defined. So it takes nsDS5ReplicatedAttributeList as an alternative value.

It should follow something like

nsDS5ReplicatedAttributeListTotal undefined -> use nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal defined -> use nsDS5ReplicatedAttributeListTotal even if it is empty
Comment 5 thierry bordaz 2016-12-19 17:36:40 UTC 
Created attachment 1233451 [details]
lib389 reproducible test case
Comment 6 thierry bordaz 2016-12-19 17:39:33 UTC 
A workaround is to define at least an attribute nsDS5ReplicatedAttributeListTotal. It could be an attribute that you do not use in any entry.
Comment 7 thierry bordaz 2016-12-20 11:03:35 UTC 
The workaround can use any string as excluded attribute. When parsing this configration attriubte the schema is not enforced. So the workaround could be

nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ dummy_value
Comment 8 thierry bordaz 2016-12-20 11:11:15 UTC 
Created attachment 1233783 [details]
Patch for 1405257
Comment 9 thierry bordaz 2017-01-20 15:58:48 UTC 
Upstream ticket pushed https://fedorahosted.org/389/ticket/49073
Comment 11 Sankar Ramalingam 2017-05-16 07:28:59 UTC 
[0 root@qeos-38 tickets]# py.test -s -v ticket49073_test.py 
========================================== test session starts ==========================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-13.el7
nss: 3.28.4-8.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

INFO:lib389:Starting total init cn=meTo_localhost:39002,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
('Update succeeded: status ', '0 Total update succeeded')
INFO:lib389.topologies:Replication is working.
INFO:dirsrvtests.tests.tickets.ticket49073_test:update cn=meTo_localhost:39002,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to add nsDS5ReplicatedAttributeListTotal
INFO:dirsrvtests.tests.tickets.ticket49073_test:create users and group...
INFO:dirsrvtests.tests.tickets.ticket49073_test:Adding members to the group...
INFO:lib389:Starting total init cn=meTo_localhost:39002,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
('Update succeeded: status ', '0 Total update succeeded')
PASSEDInstance slapd-master_1 removed.
Instance slapd-master_2 removed.
=============== 1 passed in 39.37 seconds ================

Marking it as Verified since the upstream tests ticket49073_test.py is passing.
Comment 12 errata-xmlrpc 2017-08-01 21:12:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086