Bug 1405257 - Setting nsDS5ReplicatedAttributeList nsDS5ReplicatedAttributeListTotal on replication agreements does not work
Summary: Setting nsDS5ReplicatedAttributeList nsDS5ReplicatedAttributeListTotal on rep...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: pre-dev-freeze
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-16 00:18 UTC by Brian J. Atkisson
Modified: 2020-09-13 21:54 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.3.6.1-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 21:12:24 UTC
Target Upstream Version:


Attachments (Terms of Use)
lib389 reproducible test case (9.14 KB, text/plain)
2016-12-19 17:36 UTC, thierry bordaz
no flags Details
Patch for 1405257 (4.23 KB, patch)
2016-12-20 11:11 UTC, thierry bordaz
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2132 None None None 2020-09-13 21:54:42 UTC
Red Hat Product Errata RHBA-2017:2086 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2017-08-01 18:37:38 UTC

Description Brian J. Atkisson 2016-12-16 00:18:44 UTC
Description of problem:
Per the docs (https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10.1/html/Administration_Guide/managing-fractional-repl.html#fractional-repl-total):

If both nsDS5ReplicatedAttributeList and nsDS5ReplicatedAttributeListTotal are set, then nsDS5ReplicatedAttributeList only applies to incremental updates. 

I have the following set on two masters when using the memberOf plugin:

nsDS5ReplicatedAttributeListTotal: (objectclass=*)
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberOf

Per the docs, I would expect:

- memberOf to be replicated to a new master on a full init
- memberOf to be excluded from that point forward and memberOf to be managed by each master separately

However, in this configuration, memberOf does not get replicated on a full init, nor on future updates.  This results in having to run fixup-memberof.pl immediately after performing a reinit.

Comment 1 Noriko Hosoi 2016-12-16 00:46:48 UTC
Hi Brian,

I assume you are observing the problem on 389-ds-base-1.3.5 on rhel-7.3.  

Is this the version you are running?
389-ds-base-1.3.5.10-12.el7_3.bz1391700.x86_64

And is this a regression?

Thanks!
--noriko

Comment 2 Brian J. Atkisson 2016-12-16 02:27:48 UTC
This is 389-ds-base-1.3.5.10-12.el7_3.bz1391700.x86_64

I do not know if this is a regression, it is the first time I'm trying to use this feature.

Thanks!

Comment 4 thierry bordaz 2016-12-19 17:35:44 UTC
I can reproduce the described behavior with the attached lib389 test case.

The problem resides in agmt_get_fractional_attrs_total. If frac_attrs_total contains no attributes, then it is empty. It assumes that empty frac_attr_total is a consequence of 'nsDS5ReplicatedAttributeListTotal' being not defined. So it takes nsDS5ReplicatedAttributeList as an alternative value.

It should follow something like

nsDS5ReplicatedAttributeListTotal undefined -> use nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal defined -> use nsDS5ReplicatedAttributeListTotal even if it is empty

Comment 5 thierry bordaz 2016-12-19 17:36:40 UTC
Created attachment 1233451 [details]
lib389 reproducible test case

Comment 6 thierry bordaz 2016-12-19 17:39:33 UTC
A workaround is to define at least an attribute nsDS5ReplicatedAttributeListTotal. It could be an attribute that you do not use in any entry.

Comment 7 thierry bordaz 2016-12-20 11:03:35 UTC
The workaround can use any string as excluded attribute. When parsing this configration attriubte the schema is not enforced. So the workaround could be

nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ dummy_value

Comment 8 thierry bordaz 2016-12-20 11:11:15 UTC
Created attachment 1233783 [details]
Patch for 1405257

Comment 9 thierry bordaz 2017-01-20 15:58:48 UTC
Upstream ticket pushed https://fedorahosted.org/389/ticket/49073

Comment 11 Sankar Ramalingam 2017-05-16 07:28:59 UTC
[0 root@qeos-38 tickets]# py.test -s -v ticket49073_test.py 
========================================== test session starts ==========================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-13.el7
nss: 3.28.4-8.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

INFO:lib389:Starting total init cn=meTo_localhost:39002,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
('Update succeeded: status ', '0 Total update succeeded')
INFO:lib389.topologies:Replication is working.
INFO:dirsrvtests.tests.tickets.ticket49073_test:update cn=meTo_localhost:39002,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to add nsDS5ReplicatedAttributeListTotal
INFO:dirsrvtests.tests.tickets.ticket49073_test:create users and group...
INFO:dirsrvtests.tests.tickets.ticket49073_test:Adding members to the group...
INFO:lib389:Starting total init cn=meTo_localhost:39002,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
('Update succeeded: status ', '0 Total update succeeded')
PASSEDInstance slapd-master_1 removed.
Instance slapd-master_2 removed.
=============== 1 passed in 39.37 seconds ================

Marking it as Verified since the upstream tests ticket49073_test.py is passing.

Comment 12 errata-xmlrpc 2017-08-01 21:12:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086


Note You need to log in before you can comment on or make changes to this bug.