-
Bug
-
Resolution: Done
-
Undefined
-
rhel-7.9.z
-
ipa-4.12.1-4.el10
-
None
-
Moderate
-
3
-
rhel-sst-idm-ipa
-
ssg_idm
-
24
-
26
-
3
-
QE ack, Dev ack
-
False
-
-
Yes
-
2024-Q3-Alpha-S3, 2024-Q3-Alpha-S4, 2024-Q3-Alpha-S5
-
Pass
-
Automated
-
Bug Fix
-
-
Done
-
-
x86_64
-
None
Description of problem:
It may happen that the replication time skew gets quite significant in some IPA deployments.
There are lengthy and error-prone steps to reset the time skew:
https://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html
Some customers are happy to enable the LDAP configuration parameter "nsslapd-ignore-time-skew" to let replication flow.
Nonetheless every time the "force-sync" option is used to initiate replication, the "nsslapd-ignore-time-skew" is disabled afterwards.
It would be nice to keep the value configured by IPA administrators.
Version-Release number of selected component (if applicable):
Customer is using IPA 4.6.8-5 on RHEL 7.9
How reproducible:
Always.
Steps to Reproduce:
1. Set "nsslapd-ignore-time-skew" to "on"
2. Run "ipa-replica-manage force-sync"
3. Check the value of "nsslapd-ignore-time-skew". It's now set to "off"
Actual results:
The configured value has been changed after forcing replication.
Expected results:
Customers would like to keep their configured value.
Additional info:
There was an RFE to enable this parameter by default:
https://bugzilla.redhat.com/show_bug.cgi?id=1493150
- external trackers
- links to
-
RHSA-2024:133524 ipa bug fix and enhancement update