389-ds-base

Clone
Source Code
GIT

#317 RHDS fractional replication with excluded password policy attributes leads to wrong error messages.
Closed: wontfix None Opened 12 years ago by rmeggins.

Closed: wontfix
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=800173 (Red Hat Directory Server)

Description of problem:
When configuring RHDS fractional replication, with passwordRetryCount,
retryCountResetTime, and accountUnlockTime are in exclude list.
Each operation which will lead to change any of attribute will result an error
in slapd error logs.

I created a environment, where I had 5 attributes excluded.

memberof,
passwordRetryCount,
retryCountResetTime,
accountUnlockTime,
telephonenumber

When I tried to edit/add  phone no. in  RHDS, It was not replicated to other
RHDS - Expected behaviour, but also it didnt generated any error.

But When I tried with a invalid login attempt, that made change in
passwordretycount & retrycountresettime, It was not replicated - Expected but
it generated a lots of error like below.

[04/Mar/2012:13:33:05 -0500] NSMMReplicationPlugin - agmt="cn=test-replication"
(ldap56:389): Failed to send modify operation: LDAP error 89 (Bad parameter to
an ldap routine)
[04/Mar/2012:13:33:05 -0500] NSMMReplicationPlugin - agmt="cn=test-replication"
(ldap56:389): Failed to send update operation to consumer (uniqueid
b0461981-662611e1-bd268601-f3e9af2f, CSN 4f53b400000000010000): Timed out. Will
retry later.
[04/Mar/2012:13:33:11 -0500] NSMMReplicationPlugin - agmt="cn=test-replication"
(ldap56:389): Failed to send modify operation: LDAP error 89 (Bad parameter to
an ldap routine)
[04/Mar/2012:13:33:11 -0500] NSMMReplicationPlugin - agmt="cn=test-replication"
(ldap56:389): Failed to send update operation to consumer (uniqueid
b0461981-662611e1-bd268601-f3e9af2f, CSN 4f53b400000000010000): Bad parameter
to an ldap routine. Will retry later.
[04/Mar/2012:13:33:16 -0500] NSMMReplicationPlugin - agmt="cn=test-replication"
(ldap56:389): Failed to send modify operation: LDAP error 89 (Bad parameter to
an ldap routine)

cl-dump output for above csn

changetype: modify
replgen: 4f53ad37000000020000
csn: 4f53b400000000010000
nsuniqueid: b0461981-662611e1-bd268601-f3e9af2f
dn: uid=user,ou=people,dc=example,dc=com
change::
replace: retryCountResetTime
retryCountResetTime: 20120304183711Z
-
replace: passwordRetryCount
passwordRetryCount: 1
-

Replication agreement.

dn: cn=test-replication,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,
 cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: MMR
cn: test-replication
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ldap56.example.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: uid=rmanager,cn=config
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE accountUnlockTime memb
 erOf passwordRetryCount retryCountResetTime telephoneNumber
nsDS5ReplicaCredentials: {DES}QA/cJhx3x8I=
creatorsName: cn=directory manager
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
createTimestamp: 20120304180002Z
modifyTimestamp: 20120305184057Z
nsds50ruv: {replicageneration} 4f53ad37000000020000
nsds50ruv: {replica 2 ldap://ldap56.example.com:389} 4f53b27c000000020000 4f55
 0345000000020000
nsds50ruv: {replica 1 ldap://ldap5.example.com:389} 4f53b400000000010000 4f550
 2bd000000010000
nsruvReplicaLastModified: {replica 2 ldap://ldap56.example.com:389} 00000000
nsruvReplicaLastModified: {replica 1 ldap://ldap5.example.com:389} 00000000


Version-Release number of selected component (if applicable):
redhat-ds-admin-8.2.1-1.el5dsrv
redhat-ds-8.2.0-2.el5dsrv
redhat-ds-base-8.2.8-2.el5dsrv
redhat-ds-console-8.2.0-4.el5dsrv


How reproducible:
100%

Steps to Reproduce:
1. Configure MMR replication with passwordisglobalpolicy = off
2. Configure Account Lockout policy on invalid logins.
3. Try to login with invalid credentials of any users.

Actual results:
give the error for "LDAP error 89 (Bad parameter to an ldap routine)" in slapd
error logs

Expected results:
It should not dump above logs.

Additional info:
This is not reproducible in RHDS 9.0.
I have this environment locally configured, Let me know if additional debug
logs are required.

Note that we do not have the same problem when 389 is linked with openldap - openldap explicitly allows a NULL or empty mods list for ldap_modify - but we still should not attempt to replicate an empty operation - we should skip it

0001-Ticket-317-RHDS-fractional-replication-with-excluded.patch
0001-Ticket-317-RHDS-fractional-replication-with-excluded.patch

commit changeset:c72f6ba/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Thu Mar 8 12:06:37 2012 -0700

Added initial screened field value.

Metadata Update from @rmeggins:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.2.11.a1
7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/317

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
ack
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.