Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4879

RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync".

    • ipa-4.12.1-4.el10
    • None
    • Moderate
    • 3
    • rhel-sst-idm-ipa
    • ssg_idm
    • 24
    • 26
    • 3
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q3-Alpha-S3, 2024-Q3-Alpha-S4, 2024-Q3-Alpha-S5
    • Bug Fix
    • Hide
      .The `ipa-replica-manage` command no longer resets the `nsslapd-ignore-time-skew` setting during forced replication

      Previously, the `ipa-replica-manage` `force-sync` command reset the `nsslapd-ignore-time-skew` setting to `off`, regardless of the configured value. With this update, the `nsslapd-ignore-time-skew` setting is no longer overwritten during forced replication.
      Show
      .The `ipa-replica-manage` command no longer resets the `nsslapd-ignore-time-skew` setting during forced replication Previously, the `ipa-replica-manage` `force-sync` command reset the `nsslapd-ignore-time-skew` setting to `off`, regardless of the configured value. With this update, the `nsslapd-ignore-time-skew` setting is no longer overwritten during forced replication.
    • Done
    • None

      Description of problem:
      It may happen that the replication time skew gets quite significant in some IPA deployments.
      There are lengthy and error-prone steps to reset the time skew:
      https://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html

      Some customers are happy to enable the LDAP configuration parameter "nsslapd-ignore-time-skew" to let replication flow.
      Nonetheless every time the "force-sync" option is used to initiate replication, the "nsslapd-ignore-time-skew" is disabled afterwards.

      It would be nice to keep the value configured by IPA administrators.

      Version-Release number of selected component (if applicable):
      Customer is using IPA 4.6.8-5 on RHEL 7.9

      How reproducible:
      Always.

      Steps to Reproduce:
      1. Set "nsslapd-ignore-time-skew" to "on"
      2. Run "ipa-replica-manage force-sync"
      3. Check the value of "nsslapd-ignore-time-skew". It's now set to "off"

      Actual results:
      The configured value has been changed after forcing replication.

      Expected results:
      Customers would like to keep their configured value.

      Additional info:
      There was an RFE to enable this parameter by default:
      https://bugzilla.redhat.com/show_bug.cgi?id=1493150

              frenaud@redhat.com Florence Renaud
              rhn-support-tmihinto Têko Mihinto
              Florence Renaud Florence Renaud
              Erik Belko Erik Belko
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: