| Summary: | [RFE] set nsslapd-ignore-time-skew: on by default | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | German Parente <gparente> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | enewland, ksiddiqu, mrhodes, myusuf, nkinder, nsoman, pasik, pvoborni, rcritten, rmeggins, tscherf |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.4-4.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 16:46:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
German Parente
2017-09-19 13:27:49 UTC
Mark, would following behavior be OK: on replica installation: - set nsslapd-ignore-time-skew to 'on' - set it to 'off' on at the end on re-init: - set it to 'on' on replica - do reinit - set it to 'off' replica Q: Is it sufficient to set it on only receiving side (replica) Q: Is there a situation when it might be wrong? Upstream ticket: https://pagure.io/freeipa/issue/7211 master:
051786c ds: ignore time skew during initial replication step
620f965 ipa-replica-manage: implicitly ignore initial time skew in force-sync
ipa-4-5:
e4cb4a5 ds: ignore time skew during initial replication step
b83073d ipa-replica-manage: implicitly ignore initial time skew in force-sync
version: ipa-server-4.5.4-4.el7.x86_64 Steps: 1. Install master 2. Install replica 3. Check for "nsslapd-ignore-time-skew" in replica-install log first set to ON and then off. $ grep -A 2 "nsslapd-ignore-time-skew:" /var/log/ipareplica-install.log 4. ldapsearch for param "nsslapd-ignore-time-skew" set to off. $ ldapsearch -D "cn=Directory Manager" -w Secret123 -h localhost -b "cn=config" | grep nsslapd-ignore-time-skew: Expected output: nsslapd-ignore-time-skew: should be set to ON while installing replica and then OFF It should remain off by default for dirsrv Actual result: [root@replica ~]# grep -A 1 "nsslapd-ignore-time-skew:" /var/log/ipareplica-install.log 2017-11-29T11:58:44Z DEBUG stdout=replace nsslapd-ignore-time-skew: on -- 2017-11-29T11:59:00Z DEBUG stdout=replace nsslapd-ignore-time-skew: off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:40Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:41Z DEBUG off -- 2017-11-29T12:05:42Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:42Z DEBUG off -- 2017-11-29T12:05:42Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:05:42Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off -- 2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew: 2017-11-29T12:06:44Z DEBUG off [root@replica ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -h localhost -b "cn=config" | grep nsslapd-ignore-time-skew: nsslapd-ignore-time-skew: off Promoted an ipa-client to replica and expected behaviour observed. [root@client ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -h localhost -b "cn=config" | grep nsslapd-ignore-time-skew: nsslapd-ignore-time-skew: off [root@client ~]# [root@client ~]# [root@client ~]# grep -A 2 "nsslapd-ignore-time-skew:" /var/log/ipareplica-install.log 2017-12-04T06:44:23Z DEBUG stdout=replace nsslapd-ignore-time-skew: on modifying entry "cn=config" -- 2017-12-04T06:44:37Z DEBUG stdout=replace nsslapd-ignore-time-skew: off modifying entry "cn=config" -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:05Z DEBUG off 2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:49:06Z DEBUG off 2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:07Z DEBUG off 2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:07Z DEBUG off 2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:07Z DEBUG off 2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:07Z DEBUG off 2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:08Z DEBUG off 2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:08Z DEBUG off 2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:08Z DEBUG off 2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:08Z DEBUG off 2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:08Z DEBUG off 2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds: -- 2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew: 2017-12-04T06:50:08Z DEBUG off 2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds: [root@client ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918 |