RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 747701 - [RFE] Make replication plugin put conflicts in a special suffix
Summary: [RFE] Make replication plugin put conflicts in a special suffix
Keywords:
Status: CLOSED DUPLICATE of bug 1274430
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 7.1
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 695797 756082 1113520
TreeView+ depends on / blocked
 
Reported: 2011-10-20 20:01 UTC by Martin Kosek
Modified: 2020-09-13 19:56 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-07 09:05:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 160 0 None None None 2020-09-13 19:56:14 UTC

Description Martin Kosek 2011-10-20 20:01:13 UTC 
Description of problem:

Recently, we have run into several issues caused by LDAP replication conflicts in IPA replicas. Objects like this:

nsuniqueid=0a950601-435311e0-86a2f5bd-3cd26022+uid=utest,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

fqdn=rhel61-client3.testrelm+nsuniqueid=807bb87f-652211e0-9e848fb2-f0f04a39,cn=computers,cn=accounts,dc=testrelm

lead to unpredictable issues for IPA end-user. Not every user can be
experienced enough to determine that the issues he is experiencing are caused by these conflicts and rename/remove them.

If 389-ds replication plugin would allow us to configure a suffix to put all conflicts in to prevent them from being in the tree that clients use, it would be a great help for a user to mitigate the replication conflict issue.
Comment 2 Rich Megginson 2012-01-05 16:49:43 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/160
Comment 3 Noriko Hosoi 2012-04-30 17:46:03 UTC 
Hi Martin and Simo,

I've summarized the conflict/tombstone entry related changes to be made on this wiki page:
http://directory.fedoraproject.org/wiki/Separate_Conflict_and_Tombstone_Entry

Could you please take a look and give me your comments?

Thanks!
--noriko
Comment 4 Martin Kosek 2012-05-03 09:22:04 UTC 
I read the proposal and saw the 2 approaches about how to address the issue, the first one seemed to be as the preferred one as it was described in a more detailed way.

However, the first approach mainly looks like an internal change - AFAIU, the only change we would see from IPA side is that the conflicting entry would now have a new object class "nsConflict" and nsdsEntryType attribute filled.

I assume this would still disrupt IPA operations (like user-add described in Bug 772294), as reported in the following IPA Bugs: Bug 772294, Bug 695797.

Our target was an ability of the DS to move the conflicting entries out of the IPA DIT tree so that they don't conflict with IPA operations, i.e. the second approach you mentioned on the design page. Then, we would provide users with tools to check and handle the conflicting entries.

Simo, did I miss anything?
Comment 5 Simo Sorce 2012-05-03 11:52:19 UTC 
(In reply to comment #4)

> Simo, did I miss anything?

I think you did, my understanding is that with the first proposal a client will never see conflict or thombstone entries unless you explicitly search for their objectlasses in the filter, ie (objectclass=*) would not match them.
That solves the problem for us as normal clients will not see those entries and we can provide tools to search for conflicts by simply searching for the correct objectclass.

Noriko, please correct me as well :-)
Comment 6 Martin Kosek 2012-05-03 12:12:31 UTC 
Ah, Simo thanks for clarification. If this is the case, that would actually make more sense to me and would be usable by IPA too. Such solution would be even more convenient for managing as we would not have to control the new suffixes.
Comment 7 Noriko Hosoi 2012-05-03 16:34:55 UTC 
Thanks a lot, Martin and Simo.  Yes, your observation/understanding is correct, Simo.  Unless you add "(objectclass=nsTombstone)" or "(objectclass=nsConflict)", you won't see the tombstone entry or the conflict entry, respectively.

Sorry about the memo.  It's mainly for myself to start implementing... :)
Comment 8 Ludwig 2012-11-02 15:19:00 UTC 
I'd like to suggest a third approach.

We always try to reconcile replication conflicts as far as possible, only in the case where two entries are generated with the same dn on different servers we give up completely. In my opinion most of the cases are because a client sends an ADD two multiple servers, an in these cases the enries would be identical.

My suggestion is to merge the conflicting entries into one, keeping the conflict invisible for clients in an generated attribute with subtypes, eg:

replconflict;<nsuniqueid>;<attrname>: value

Normal clients would see one entry, an administrator could request the conflict attr and resolve a conflict, maybe just delete replconflict;<nsuniqueid>;
Comment 9 Simo Sorce 2012-11-02 16:10:03 UTC 
Ludwig,
in the case of FreeIPA ehrn creating users, due to the use of the DNA plugin, in most cases the 2 entries would have conflicting uidNumber and gidNumber (and also ipaUniqueId and other minr stuff).
How do you propose merging the entries in this case ?

Simo.
Comment 10 Rich Megginson 2012-11-02 16:30:14 UTC 
(In reply to comment #9)
> Ludwig,
> in the case of FreeIPA ehrn creating users, due to the use of the DNA
> plugin, in most cases the 2 entries would have conflicting uidNumber and
> gidNumber (and also ipaUniqueId and other minr stuff).
> How do you propose merging the entries in this case ?

That's not a replication conflict, so it would have to be handled in a different manner.

> 
> Simo.
Comment 13 Noriko Hosoi 2014-07-09 16:41:05 UTC 
This is not going to be addressed for RHEL 7.1.  Changing the flags to target RHEL 7.2.
Comment 16 Noriko Hosoi 2015-09-28 18:24:43 UTC 
Per 7.3 triage:
> This is old, but it comes up every now and then.  For now, IdM should probably search for conflicts and mention them on the replication monitoring UI (which needs to be developed).

Pushing to post 7.3.
Comment 18 Noriko Hosoi 2015-09-28 18:42:20 UTC 
There is no post 7.3 in pm-rhel flag yet...
Stay in 7.3 until 7.4 is ready.
Comment 19 Ludwig 2017-04-07 09:05:21 UTC 

*** This bug has been marked as a duplicate of bug 1274430 ***
Note You need to log in before you can comment on or make changes to this bug.