This is a continuation of ticket 2220.
We have done what we can in IPA. The 389-ds team is going to investigate the best way to not replicate when only modifyuser/date is changed.
Among the possible solutions are: - LDAP relax: http://tools.ietf.org/html/draft-zeilenga-ldap-relax-03 - setting an ACI like in Account Usability - or a change to replication directly
The 389-ds ticket is https://fedorahosted.org/389/ticket/321
We are using fractional replication that excludes the lockout attributes. 389-ds is seeing a change come in and then discards all the mods for replication purposes except that lastmodifybydate and user attributes, so we still get replication.
We'd like this to be suppressed, either by 389-ds knowing this case specifically or by not replicating when the only changes are to these two attributes.
This is mitigated somewhat by the options added in ticket https://fedorahosted.org/freeipa/ticket/2734
Fixed in 389-ds-base 1.2.11.4
We need to set something like this in the replication agreements (see 389-ds ticket for more details):
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp
There's a bug in DS that prevents setting nsds5ReplicaStripAttrs; waiting for them to fix.
https://fedorahosted.org/389/ticket/413
Just for completeness:
Exactly same optimization is handy for DNS SOA serial auto incrementation feature also. DNS will work without this optimization, but in some cases it can cause "replication storm" as described in ssh/Kerberos case above.
master: 2ede70b
ipa-3-0: 1000bf0
Note that the associated BZ was re-assigned against the 389-ds-base component.
Moving closed RC1 tickets to Beta 3.
Metadata Update from @rcritten: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 3.0 Beta 3
Login to comment on this ticket.