Updating attributetypes in schema is unpredictable #5366
Labels
needs triage
The issue will be triaged during scrum
Comments
rcritten
added a commit
to rcritten/freeipa
that referenced
this issue
Aug 1, 2022
There are currently three sets of CA schema changes applied in ipa-server-upgrade: * addition of ACME schema * addition of certificate profile schema * addition of lightweight CA schema None of these require a restart of the CA to be supported. There is an issue in schema parsing such that it doesn't handle X-ORIGIN properly. A difference is detected and a change applied but no change is recorded in LDAP so every time upgrade is run it thinks a CA restart is needed. The CA is not quick to restart so avoiding one is best, particularly when the update is run as part of an rpm transaction where a user with an itchy finger may think things have hung and break out of it. 389ds/389-ds-base#5366 was filed to track this. Related: https://pagure.io/freeipa/issue/9204 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
abbra
pushed a commit
to freeipa/freeipa
that referenced
this issue
Aug 16, 2022
There are currently three sets of CA schema changes applied in ipa-server-upgrade: * addition of ACME schema * addition of certificate profile schema * addition of lightweight CA schema None of these require a restart of the CA to be supported. There is an issue in schema parsing such that it doesn't handle X-ORIGIN properly. A difference is detected and a change applied but no change is recorded in LDAP so every time upgrade is run it thinks a CA restart is needed. The CA is not quick to restart so avoiding one is best, particularly when the update is run as part of an rpm transaction where a user with an itchy finger may think things have hung and break out of it. 389ds/389-ds-base#5366 was filed to track this. Related: https://pagure.io/freeipa/issue/9204 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
flo-renaud
pushed a commit
to flo-renaud/freeipa
that referenced
this issue
Aug 16, 2022
There are currently three sets of CA schema changes applied in ipa-server-upgrade: * addition of ACME schema * addition of certificate profile schema * addition of lightweight CA schema None of these require a restart of the CA to be supported. There is an issue in schema parsing such that it doesn't handle X-ORIGIN properly. A difference is detected and a change applied but no change is recorded in LDAP so every time upgrade is run it thinks a CA restart is needed. The CA is not quick to restart so avoiding one is best, particularly when the update is run as part of an rpm transaction where a user with an itchy finger may think things have hung and break out of it. 389ds/389-ds-base#5366 was filed to track this. Related: https://pagure.io/freeipa/issue/9204 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
flo-renaud
pushed a commit
to flo-renaud/freeipa
that referenced
this issue
Aug 16, 2022
There are currently three sets of CA schema changes applied in ipa-server-upgrade: * addition of ACME schema * addition of certificate profile schema * addition of lightweight CA schema None of these require a restart of the CA to be supported. There is an issue in schema parsing such that it doesn't handle X-ORIGIN properly. A difference is detected and a change applied but no change is recorded in LDAP so every time upgrade is run it thinks a CA restart is needed. The CA is not quick to restart so avoiding one is best, particularly when the update is run as part of an rpm transaction where a user with an itchy finger may think things have hung and break out of it. 389ds/389-ds-base#5366 was filed to track this. Related: https://pagure.io/freeipa/issue/9204 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
abbra
pushed a commit
to freeipa/freeipa
that referenced
this issue
Aug 16, 2022
There are currently three sets of CA schema changes applied in ipa-server-upgrade: * addition of ACME schema * addition of certificate profile schema * addition of lightweight CA schema None of these require a restart of the CA to be supported. There is an issue in schema parsing such that it doesn't handle X-ORIGIN properly. A difference is detected and a change applied but no change is recorded in LDAP so every time upgrade is run it thinks a CA restart is needed. The CA is not quick to restart so avoiding one is best, particularly when the update is run as part of an rpm transaction where a user with an itchy finger may think things have hung and break out of it. 389ds/389-ds-base#5366 was filed to track this. Related: https://pagure.io/freeipa/issue/9204 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
abbra
pushed a commit
to freeipa/freeipa
that referenced
this issue
Aug 16, 2022
There are currently three sets of CA schema changes applied in ipa-server-upgrade: * addition of ACME schema * addition of certificate profile schema * addition of lightweight CA schema None of these require a restart of the CA to be supported. There is an issue in schema parsing such that it doesn't handle X-ORIGIN properly. A difference is detected and a change applied but no change is recorded in LDAP so every time upgrade is run it thinks a CA restart is needed. The CA is not quick to restart so avoiding one is best, particularly when the update is run as part of an rpm transaction where a user with an itchy finger may think things have hung and break out of it. 389ds/389-ds-base#5366 was filed to track this. Related: https://pagure.io/freeipa/issue/9204 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue Description
Background: IPA loads some PKI schema as part of its upgrade process. This is in the context of a slew of potential changes to CA configuration. If any change is detected as having been made a CA restart is done. This is slow-ish and we try to avoid it where possible.
It turns out that the X-ORIGIN is the root cause for the restarts. This is being detected by our code:
Replace: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'user-defined' 'user defined' ) )
with: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )
Note that it detects that the current X-ORIGIN is duplicated and it wants to flip it back to a single value.
The update we generate, and I'm not 100% sure why yet, consists only of a MOD_ADD. The change is "successful" in that an error isn't returned but X-ORIGIN isn't changed so next time we run an upgrade this will happen again.
So I tried this with ldapmodify. I tried changing the SYNTAX for this from 1.3.6...26 to 1.3.6...25. And X-ORIGIN is tweaked as well.
It changed to 25!? But X-ORIGIN remains the same. I can reverse back to 26 and it updates again. I haven't played with any other schema syntax like match, sort, etc.
Package Version and Platform:
The text was updated successfully, but these errors were encountered: