4224 openldap entryuuid confusion #4344
Conversation
There was a problem hiding this comment.
@Firstyear the overall patch looks very nice. I have minor comments. However I would appreciate a design (port389) describing the solution and the choices
b456330 to
5eb10cc
Compare
|
@tbordaz Thanks for your review, I have updated all the areas you commented on, and I have updated https://www.port389.org/docs/389ds/design/openldap2ds.html with details about the syncrepl changes. |
|
@tbordaz, @mreynolds389 Review reminder :) |
|
Ping @tbordaz and @mreynolds389 :) |
|
Ping @tbordaz and @mreynolds389, |
|
@tbordaz has been doing a lot of work around sync repl lately. I'd prefer him to do this review as it could impact what he is working on |
|
Yeah, that's fair @mreynolds389. I'll poke him some more then about the matter :) |
5eb10cc to
da51939
Compare
|
@Firstyear except those two last comments/questions, the overall patch looks nice to me |
|
Hey mate, I don't see the two comments/questions you are referring to? All the comments I can see are your older ones which have been addressed? |
|
@Firstyear , definitely something I do not understand with PR. Some comments can remain "hidden" and some others are public.. I do not know what to do to make all my comments public. Can you see my two comments (sync_create_state_control, null cookie) ? |
If you start a review, your comments are "staged" in your browser, and only if you click "complete review" in the top right do they become visible to me and others. Maybe that's what is going on? |
|
@tbordaz I think your python tests are failing because of this python-ldap/python-ldap#351 I indicated in a comment how to check your python ldap version for this :) |
Exactly !! you can not imagine the amount of time I spent to identify that the failure was due to incorrect python-ldap failing to decode syncInfo. As I am still testing with prefix_install I was using an old version of python-ldap. Thanks for having fixed that. |
|
@tbordaz Okay, I've updated this - I've fixed the null deref, and added flags to the tests to prevent them running if python ldap is too old, as well as checkingf for enable-rust which gives the entry uuid support. I've run all the sync repl tests and they all pass. |
Sorry, I can not see the changes in the patch. Am I missing something ? |
da51939 to
7320dd6
Compare
Nope, I made a mistake in my push - I pushed the branch to the upstream project, rather than my fork. No damage done to upstream since it was a unique branch name, so I have deleted the mistake, and now pushed to the correct branch. You should now see the changes. Sorry about that :( |
7320dd6 to
47e245a
Compare
|
Thanks @tbordaz I might ask @mreynolds389 getting a second look over as well. Really appreciate your help :) |
|
LGTM |
Bug Description: The cookie encodes which changelog entries we have seen up to and including. However, the sync process would then re-send the cl item from the cookie number. This could cause corruption in some cases as some combinations of actions between two points are no-oped in the server. Fix Description: Fix the changelog search to always process that entries of the CL must be greater than, but not equal to the already seen CL items from the cookie. Fixes: 389ds#4313 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz
Bug Description: This is a supplement to 51260. Fix Description: This expands the test cases to be able to detect the subsequent data corruption of 51260. This also improves documentation around the rfc, and some todo comments for future work with entryuuid + openldap. Fixes: 389ds#4313 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz
Bug Description: OpenLDAP server as a syncrepl consumed enforces the condition that syncUUID in ldap messages must match the entryuuid of the entry. This is not in the RFC but it affects this one situation. Fix Description: To resolve this, we enforce that entryuuid is a requirement to the openldap syncrepl mode. Only entries with an entryuuid can be sent to openldap. Additionally, this mode is disabled by default by a configuration parameter "syncrepl-allow-openldap" in the content sync plugin config. Fixes: 389ds#4224 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz (Thanks!)
47e245a to
ce7ec36
Compare
NOTE: It looks like the commits from 51260 which were previously merged seem to be missing after the migration, so this branch includes those.
Thanks!
Fixes: #4313 #4224