The test variable is whether or not the server supports transactions. If we test the old version of the package (the 6.2 version: 0.26) with the new version of the directory server (the 6.3 version: 1.2.10 or later), we should see the server deadlock if we modify an entry for which computing the contents of the corresponding synthetic entry requires that we read information from other entries in the directory. 

In that scenario (say, we modify a group entry, where the compat entry is configured so that it will provide the "uid" values of its members as if they were its own "memberUid" values, so the plugin has to go look at member entries), we should expect a deadlock. 

If we replace the version of the plugin with one which has transaction support (this update -- note that the original 6.3 update had support for it in the source, but we didn't compile it in properly), that same operation should succeed without a deadlock.

reproduced with ::

ipa-server-2.2.0-16.el6.i686
slapi-nis-0.40-1.el6.i686
389-ds-base-1.2.10.2-15.el6.i686

command hung and directory server unresponsive and would not start on machine reboot


verification attempt with ::

ipa-server-2.2.0-16.el6.i686
389-ds-base-1.2.10.2-17.el6_3.i686
slapi-nis-0.40-1.el6_3.1.i686


# ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f /tmp/modifycfg.ldif 
modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"
# service dirsrv restart
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]

# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep "schema-compat-entry-attribute: memberUid="
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")


# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep "schema-compat-entry-attribute: memberUid="
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")

# ipa user-add --first=compat1 --last=compat1 compat1


command still hangs and directory server is unresponsive

ldapsearch unsuccessful - hangs

and 

/var/log/messages

<snip>
Jun 13 12:41:02 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:41:32 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:42:02 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:42:32 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:43:02 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:43:32 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:44:02 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:44:32 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter
Jun 13 12:45:02 dhcp-187-175 named[31176]: LDAP query timed out. Try to adjust "timeout" parameter

</snip>

Here's what the current failure looks like:

thread 29:
  add
  our-postop-add
  our wrlock succeeds
  search
  back-search (database lock blocks)
thread 30:
  modify
  back-modify (database lock succeeds)
  memberof-postop-modify
  modify
  our-internal-postop-modify
  our wrlock blocks

Transactions will not be supported with 389-ds-base and IPA in RHEL 6.3 and there for the need to build slapi-nis with transaction support is not necessary.  Closing this bug WONTFIX for 6.3 and leaving the 6.4 bug open for the support.