From 051786ce372cc89e53fbab02086c2d1246580762 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 16 Oct 2017 13:32:38 +0300 Subject: [PATCH] ds: ignore time skew during initial replication step Initial replica creation can go with ignoring time skew checks. We should, however, force time skew checks during normal operation. Fixes https://pagure.io/freeipa/issue/7211 Reviewed-By: Rob Crittenden --- install/share/Makefile.am | 1 + install/share/replica-prevent-time-skew.ldif | 4 ++++ ipaserver/install/dsinstance.py | 24 ++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 install/share/replica-prevent-time-skew.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 41fdae4ac..62d38e3e0 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -38,6 +38,7 @@ dist_app_DATA = \ default-trust-view.ldif \ delegation.ldif \ replica-acis.ldif \ + replica-prevent-time-skew.ldif \ ds-nfiles.ldif \ dns.ldif \ dnssec.ldif \ diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif new file mode 100644 index 000000000..5d301fedd --- /dev/null +++ b/install/share/replica-prevent-time-skew.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-ignore-time-skew +nsslapd-ignore-time-skew: $SKEWVALUE diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 65762e72b..0b0533517 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -393,7 +393,21 @@ class DsInstance(service.Service): self.step("restarting directory server", self.__restart_instance) self.step("creating DS keytab", self.request_service_keytab) + + # 389-ds allows to ignore time skew during replication. It is disabled + # by default to avoid issues with non-contiguous CSN values which + # derived from a time stamp when the change occurs. However, there are + # cases when we are interested only in the changes coming from the + # other side and should therefore allow ignoring the time skew. + # + # This helps with initial replication or force-sync because + # the receiving side has no valuable changes itself yet. + self.step("ignore time skew for initial replication", + self.__replica_ignore_initial_time_skew) + self.step("setting up initial replication", self.__setup_replica) + self.step("prevent time skew after initial replication", + self.replica_manage_time_skew) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("updating schema", self.__update_schema) # See LDIFs for automember configuration during replica install @@ -933,6 +947,16 @@ class DsInstance(service.Service): def __add_replication_acis(self): self._ldap_mod("replica-acis.ldif", self.sub_dict) + def __replica_ignore_initial_time_skew(self): + self.replica_manage_time_skew(prevent=False) + + def replica_manage_time_skew(self, prevent=True): + if prevent: + self.sub_dict['SKEWVALUE'] = 'off' + else: + self.sub_dict['SKEWVALUE'] = 'on' + self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict) + def __setup_s4u2proxy(self): self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)