RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1493150 - [RFE] set nsslapd-ignore-time-skew: on by default
Summary: [RFE] set nsslapd-ignore-time-skew: on by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-19 13:27 UTC by German Parente
Modified: 2020-12-14 10:07 UTC (History)
11 users (show)

Fixed In Version: ipa-4.5.4-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 16:46:13 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 0 None None None 2018-04-10 16:47:24 UTC

Description German Parente 2017-09-19 13:27:49 UTC
Description of problem:

the title of the bug says it all.

It's required for IPA where we are hitting this often at ipa-replica install

Comment 6 Petr Vobornik 2017-09-19 19:14:08 UTC
Mark, would following behavior be OK:

on replica installation:
 - set nsslapd-ignore-time-skew to 'on'
 - set it to 'off' on at the end

on re-init:
 -  set it to 'on' on replica
 -  do reinit
 -  set it to 'off' replica

Q: Is it sufficient to set it on only receiving side (replica)
Q: Is there a situation when it might be wrong?

Comment 7 Petr Vobornik 2017-10-16 12:12:35 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7211

Comment 8 Pavel Vomacka 2017-10-20 14:44:14 UTC
master:

    051786c ds: ignore time skew during initial replication step
    620f965 ipa-replica-manage: implicitly ignore initial time skew in force-sync

ipa-4-5:

    e4cb4a5 ds: ignore time skew during initial replication step
    b83073d ipa-replica-manage: implicitly ignore initial time skew in force-sync

Comment 10 Mohammad Rizwan 2017-11-29 13:01:44 UTC
version:
ipa-server-4.5.4-4.el7.x86_64


Steps:
1. Install master

2. Install replica

3. Check for "nsslapd-ignore-time-skew" in replica-install log first set to ON and then off.
   $ grep -A 2 "nsslapd-ignore-time-skew:" /var/log/ipareplica-install.log

4. ldapsearch for param "nsslapd-ignore-time-skew" set to off.
   $  ldapsearch -D "cn=Directory Manager" -w Secret123 -h localhost -b "cn=config" | grep nsslapd-ignore-time-skew:


Expected output:
nsslapd-ignore-time-skew: should be set to ON while installing replica and then OFF

It should remain off by default for dirsrv

Actual result:

[root@replica ~]# grep -A 1 "nsslapd-ignore-time-skew:" /var/log/ipareplica-install.log
2017-11-29T11:58:44Z DEBUG stdout=replace nsslapd-ignore-time-skew:
	on
--
2017-11-29T11:59:00Z DEBUG stdout=replace nsslapd-ignore-time-skew:
	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:40Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:40Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:41Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:41Z DEBUG 	off
--
2017-11-29T12:05:42Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:42Z DEBUG 	off
--
2017-11-29T12:05:42Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:05:42Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off
--
2017-11-29T12:06:44Z DEBUG nsslapd-ignore-time-skew:
2017-11-29T12:06:44Z DEBUG 	off

[root@replica ~]#  ldapsearch -D "cn=Directory Manager" -w Secret123 -h localhost -b "cn=config" | grep nsslapd-ignore-time-skew:
nsslapd-ignore-time-skew: off

Comment 12 Mohammad Rizwan 2017-12-04 06:56:54 UTC
Promoted an ipa-client to replica and expected behaviour observed.

[root@client ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -h localhost -b "cn=config" | grep nsslapd-ignore-time-skew:
nsslapd-ignore-time-skew: off
[root@client ~]# 
[root@client ~]# 
[root@client ~]# grep -A 2 "nsslapd-ignore-time-skew:" /var/log/ipareplica-install.log
2017-12-04T06:44:23Z DEBUG stdout=replace nsslapd-ignore-time-skew:
	on
modifying entry "cn=config"
--
2017-12-04T06:44:37Z DEBUG stdout=replace nsslapd-ignore-time-skew:
	off
modifying entry "cn=config"
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:05Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:05Z DEBUG 	off
2017-12-04T06:49:05Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:49:06Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:49:06Z DEBUG 	off
2017-12-04T06:49:06Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:07Z DEBUG 	off
2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:07Z DEBUG 	off
2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:07Z DEBUG 	off
2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:07Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:07Z DEBUG 	off
2017-12-04T06:50:07Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:08Z DEBUG 	off
2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:08Z DEBUG 	off
2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:08Z DEBUG 	off
2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:08Z DEBUG 	off
2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:08Z DEBUG 	off
2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds:
--
2017-12-04T06:50:08Z DEBUG nsslapd-ignore-time-skew:
2017-12-04T06:50:08Z DEBUG 	off
2017-12-04T06:50:08Z DEBUG nsslapd-allow-unauthenticated-binds:
[root@client ~]#

Comment 15 errata-xmlrpc 2018-04-10 16:46:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918


Note You need to log in before you can comment on or make changes to this bug.