Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 5450 - schema - nsAccountLock should be single valued #5573

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Issue 5450 - schema - nsAccountLock should be single valued #5573

wants to merge 1 commit into from

Conversation

mreynolds389
Copy link
Contributor

Description: nsAccountLock should be single valued

fixes: #5450

@mreynolds389
Issue 5450 - schema - nsAccountLock should be single valued
d3b9b5f 
Description:  nsAccountLock should be single valued

fixes: 389ds#5450

Reviewed by: ?
@tbordaz
Copy link
Contributor

tbordaz commented Dec 16, 2022

Did you test the PR in MMR S1-S2, S1 having this change and S2 having not this change ?
I have a doubt that 'single-valued' will be successfully push against 'multi-valued'

@mreynolds389
Copy link
Contributor Author

Yes I need to test replication in both directions when the schema changes. It's possible this might need to wait for schema replication improvements...

@mreynolds389
Copy link
Contributor Author

Yes I need to test replication in both directions when the schema changes. It's possible this might need to wait for schema replication improvements...

@tbordaz - Well schema replication is not working. The consumer's schema is not updated, and I see no error messages on either replica's logs (with repl logging enabled). So I don't think it's detecting that the schema is different in regards to single vs multivalued. I'll investigate....

@mreynolds389
Copy link
Contributor Author

Yes I need to test replication in both directions when the schema changes. It's possible this might need to wait for schema replication improvements...

@tbordaz - Well schema replication is not working. The consumer's schema is not updated, and I see no error messages on either replica's logs (with repl logging enabled). So I don't think it's detecting that the schema is different in regards to single vs multivalued. I'll investigate....

Ok if I live update the schema, then it does trigger schema replication (schema CSN was previously null after install). Then I see the failure:

[16/Dec/2022:13:13:14.122512949 -0500] - DEBUG - schema_at_compare - local supplier schema attribute [nsAccountLock] is not "single-valued" 
[16/Dec/2022:13:13:14.137866487 -0500] - DEBUG - schema_at_superset_check - Remote nsAccountLock schema attributetypes is a superset of the received one.
[16/Dec/2022:13:13:14.145499551 -0500] - DEBUG - schema_at_superset_check - Fail to retrieve in the local supplier schema [nsslapd-conntablesize or 2.16.840.1.113730.3.1.2247]
[16/Dec/2022:13:13:14.169673186 -0500] - DEBUG - schema_at_compare - remote consumer schema attribute [nsAccountLock] is not "single-valued" 
[16/Dec/2022:13:13:14.175907362 -0500] - DEBUG - schema_list_attr2learn - Add that unknown/extended attribute nsAccountLock (2.16.840.1.113730.3.1.610)
[16/Dec/2022:13:13:14.183878665 -0500] - DEBUG - schema_list_attr2learn - Add that unknown/extended attribute nsslapd-conntablesize (2.16.840.1.113730.3.1.2247)
[16/Dec/2022:13:13:14.192949109 -0500] - DEBUG - schema - supplier takes attributetypes: ( 2.16.840.1.113730.3.1.2247 NAME 'nsslapd-conntablesize' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
[16/Dec/2022:13:13:14.199242004 -0500] - DEBUG - schema - supplier takes attributetypes: ( 2.16.840.1.113730.3.1.610 NAME 'nsAccountLock' DESC 'Operational attribute for Account Inactivation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN 'Netscape Directory Server' )
[16/Dec/2022:13:13:14.205489329 -0500] - DEBUG - modify_schema_prepare_mods - MOD[0] add (attributetypes): ( 2.16.840.1.113730.3.1.2247 NAME 'nsslapd-conntablesize' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
[16/Dec/2022:13:13:14.211718559 -0500] - DEBUG - modify_schema_prepare_mods - MOD[1] add (attributetypes): ( 2.16.840.1.113730.3.1.610 NAME 'nsAccountLock' DESC 'Operational attribute for Account Inactivation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN 'Netscape Directory Server' )
[16/Dec/2022:13:13:14.218283245 -0500] - DEBUG - modify_schema_internal_mod - Successfully learn attributetypes definitions
[16/Dec/2022:13:13:14.224581281 -0500] - ERR - NSMMReplicationPlugin - update_consumer_schema - [S] Schema agmt="cn=beakerBox" (kvm-06-guest12:389) must not be overwritten (set replication log for additional info)
[16/Dec/2022:13:13:14.230846800 -0500] - DEBUG - NSMMReplicationPlugin - conn_push_schema - [S] schema definitions may have been learned
[16/Dec/2022:13:13:14.827480889 -0500] - DEBUG - NSMMReplicationPlugin - conn_push_schema - Schema checking successful: ok to push the schema (agmt="cn=beakerBox" (kvm-06-guest12:389))

It's not entirely clear to me why it failed looking at the logs. I guess it's this line:

[16/Dec/2022:13:13:14.137866487 -0500] - DEBUG - schema_at_superset_check - Remote nsAccountLock schema attributetypes is a superset of the received one.

But the other logging messages make it appear that schema replication did work. So this should be improved somehow.

@mreynolds389 mreynolds389 added schema Schema related issue replication Issue involves replication work in progress Work in Progress - can be reviewed, but not ready for merge. labels Dec 16, 2022
Firstyear
Firstyear approved these changes Dec 19, 2022
View reviewed changes
Copy link
Contributor

@Firstyear Firstyear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

going to approve because this change is "correct", but also could we consider as a saftey to have checks on nsAccountLock check if it's multivalue and then if any value is true, consider locked?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Firstyear Firstyear Firstyear approved these changes

Assignees
No one assigned
Labels
replication Issue involves replication schema Schema related issue work in progress Work in Progress - can be reviewed, but not ready for merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

nsAccountLockout should be single valued
3 participants
@mreynolds389 @tbordaz @Firstyear