Bug 668909

Summary: Can't modify replication agreement in some cases
Product: [Retired] 389 Reporter: Simo Sorce <ssorce>
Component: Replication - GeneralAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2.7CC: nhosoi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:54:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639035, 656390    
Attachments:
Description Flags
preliminary diff to implememt port update in an agreement
rmeggins: review+
git patch file (master) nkinder: review+

Description Simo Sorce 2011-01-12 01:30:03 UTC 
Online modification of replication agreements is sometimes impossible because of a chicken/egg problem.

Trying to change a replication agreement from proto=SSL/port=636 to proto=LDAP/port=389 always fails. The problem is that port can't be change to 389 while the proto is SSL and the proto can't be change to LDAP while the port is 636.
The other way around is true as well.

I was trying to go from LDAPS+simple creds to SASL/GSSAPI which requires setting LDAP as the protocol.
Comment 1 Rich Megginson 2011-01-24 21:43:41 UTC 
How urgent is this?  Does this need to be fixed for IPA 2.0 in RHEL6?
Comment 2 Simo Sorce 2011-01-24 22:07:50 UTC 
No, we worked around it.
Comment 3 Noriko Hosoi 2011-03-10 00:24:21 UTC 
Created attachment 483325 [details]
preliminary diff to implememt port update in an agreement

nsDS5ReplicaPort is not allowed to modify:
$ldapmodify ... << EOF
dn: cn=agreement_name,cn=replica,cn="suffix",cn=mapping tree,cn=config
changetype: modify
replace: nsDS5ReplicaPort
nsDS5ReplicaPort: 24208
-
replace: nsDS5ReplicaBindMethod
nsDS5ReplicaBindMethod: SIMPLE
-
replace:DS5ReplicaTransportInfo
nsDS5ReplicaTransportInfo: LDAP
EOF

error message with repl log level:
[...] NSMMReplicationPlugin - agmtlist_modify_callback: modification of nsDS5ReplicaPort attribute is not allowed

The current agmtlist_modify_callback implements these attributes.
nsds5ReplicaInitialize
nsds5ReplicaUpdateSchedule
nsds5ReplicaTimeout
nsds5ReplicaBusyWaitTime
nsds5ReplicaSessionPauseTime
nsds5ReplicaBindDN
nsds5TransportInfo
nsds5ReplicaBindMethod
nsds5ReplicatedAttributeList

By adding nsds5ReplicaPort to the list (see also the attached patch), switching between SSL/TLS and SIMPLE is enabled.  Could there be any reason why we should not allow this?
Comment 4 Rich Megginson 2011-03-10 00:35:52 UTC 
The partial URL (purl) in the RUV has hostname:port - does this port number come from nsds5ReplicaPort?  It may break replication in some strange way to change the port.  What happens if you shutdown the server then restart?  Does replication continue to work?
Comment 5 Noriko Hosoi 2011-03-10 00:59:30 UTC 
(In reply to comment #4)
> What happens if you shutdown the server then restart?  Does
> replication continue to work?

Yes, it continues working.
Comment 6 Noriko Hosoi 2011-03-10 01:07:01 UTC 
(In reply to comment #4)
> The partial URL (purl) in the RUV has hostname:port - does this port number
> come from nsds5ReplicaPort?  

It does not look so.  This is a snippet of agreement used in the mmraccept test:
dn: cn=24202_to_24214,cn=replica,cn=o\3Dairius.com,cn=mapping tree,cn=config
nsDS5ReplicaPort: 24214
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaBindMethod: SIMPLE
nsds50ruv: {replica 2 ldap://kiki.usersys.redhat.com:24204} 4d77fab20000000200
 00 4d77fab2000000020000
nsds50ruv: {replica 1 ldap://kiki.usersys.redhat.com:24202} 4d77fa970000000100
 00 4d7804a5000000010000

24214 is the secure port, but the corresponding original port 24204 is being used in RUV...
Comment 7 Rich Megginson 2011-03-10 01:26:49 UTC 
Comment on attachment 483325 [details]
preliminary diff to implememt port update in an agreement

Ok.  The patch looks good, but the formatting is a bit dodgy.

I think we should get this in and throw some replication tests at it - change the port and make sure all of the suppliers and consumers continue to work as before.
Comment 8 Noriko Hosoi 2011-03-10 01:58:18 UTC 
(In reply to comment #7)
> Comment on attachment 483325 [details]
> preliminary diff to implememt port update in an agreement
> 
> Ok.  The patch looks good, but the formatting is a bit dodgy.
> 
> I think we should get this in and throw some replication tests at it - change
> the port and make sure all of the suppliers and consumers continue to work as
> before.

Thank you, Rich!  I'm running the test, now...  Sorry about the format.  Actually, that's not even a patch... :p  Let me come up with a better one once I finish running the tests.
Comment 9 Noriko Hosoi 2011-03-11 20:13:44 UTC 
Created attachment 483808 [details]
git patch file (master)

Description: Code to modify nsds5ReplicaPort in replication agreement
was not implemented.  This patch adds it.

When an agreement change is detected in conn_connect, it resets
the values needed to make a connection including the port number.
Comment 11 Noriko Hosoi 2011-03-11 20:53:19 UTC 
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge 668909
Updating d79ff62..34f2f30
Fast-forward
 ldap/servers/plugins/replication/repl5_agmt.c      |   35 ++++++++++++++++++-
 ldap/servers/plugins/replication/repl5_agmtlist.c  |   14 ++++++++
 .../servers/plugins/replication/repl5_connection.c |    1 +
 3 files changed, 48 insertions(+), 2 deletions(-)

$ git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.24 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
remote: git: 'refs/heads/master' is not a git command. See 'git --help'.
To ssh://git.fedorahosted.org/git/389/ds.git
   d79ff62..34f2f30  master -> master

389-ds-base-1.2.8:
Cherry-picked commit 34f2f30578d69f4aaa7445f6f388b03f9fc5c3ca
$ git cherry-pick 34f2f30578d69f4aaa7445f6f388b03f9fc5c3ca
Finished one cherry-pick.
[ds128-local cc578f1] Bug 668909 - Can't modify replication agreement in some cases
 3 files changed, 48 insertions(+), 2 deletions(-)

Pushed to 389-ds-base-1.2.8, as well.
$ git push origin ds128-local:389-ds-base-1.2.8
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.24 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
remote: git: 'refs/heads/389-ds-base-1.2.8' is not a git command. See 'git --help'.
To ssh://git.fedorahosted.org/git/389/ds.git
   235e3a6..cc578f1  ds128-local -> 389-ds-base-1.2.8
Comment 13 Noriko Hosoi 2011-07-26 21:37:34 UTC 
The nightly mmr acceptance test pass 100%, mark verified.
TestCase [bug668909] result-> [PASS]