IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ds: ignore time skew during initial replication step

Browse Source 
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2017-10-16 13:32:38 +03:00
parent a2dea5a56d
commit 051786ce37
3 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
install/share/Makefile.am
View File

@ -38,6 +38,7 @@ dist_app_DATA = \
default-trust-view.ldif \ default-trust-view.ldif \
delegation.ldif \ delegation.ldif \
replica-acis.ldif \ replica-acis.ldif \
replica-prevent-time-skew.ldif \
ds-nfiles.ldif \ ds-nfiles.ldif \
dns.ldif \ dns.ldif \
dnssec.ldif \ dnssec.ldif \

4
install/share/replica-prevent-time-skew.ldif Normal file
View File

@ -0,0 +1,4 @@
dn: cn=config
changetype: modify
replace: nsslapd-ignore-time-skew
nsslapd-ignore-time-skew: $SKEWVALUE

24
ipaserver/install/dsinstance.py
View File

@ -393,7 +393,21 @@ class DsInstance(service.Service):
self.step("restarting directory server", self.__restart_instance) self.step("restarting directory server", self.__restart_instance)
self.step("creating DS keytab", self.request_service_keytab) self.step("creating DS keytab", self.request_service_keytab)
# 389-ds allows to ignore time skew during replication. It is disabled
# by default to avoid issues with non-contiguous CSN values which
# derived from a time stamp when the change occurs. However, there are
# cases when we are interested only in the changes coming from the
# other side and should therefore allow ignoring the time skew.
#
# This helps with initial replication or force-sync because
# the receiving side has no valuable changes itself yet.
self.step("ignore time skew for initial replication",
self.__replica_ignore_initial_time_skew)
self.step("setting up initial replication", self.__setup_replica) self.step("setting up initial replication", self.__setup_replica)
self.step("prevent time skew after initial replication",
self.replica_manage_time_skew)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("updating schema", self.__update_schema) self.step("updating schema", self.__update_schema)
# See LDIFs for automember configuration during replica install # See LDIFs for automember configuration during replica install
@ -933,6 +947,16 @@ class DsInstance(service.Service):
def __add_replication_acis(self): def __add_replication_acis(self):
self._ldap_mod("replica-acis.ldif", self.sub_dict) self._ldap_mod("replica-acis.ldif", self.sub_dict)
def __replica_ignore_initial_time_skew(self):
self.replica_manage_time_skew(prevent=False)
def replica_manage_time_skew(self, prevent=True):
if prevent:
self.sub_dict['SKEWVALUE'] = 'off'
else:
self.sub_dict['SKEWVALUE'] = 'on'
self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)
def __setup_s4u2proxy(self): def __setup_s4u2proxy(self):
self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict) self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)