Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-7.9.z
Component/s: ipa
Labels:

Fixed in Build:
ipa-4.12.1-4.el10
Regression:
None
Severity:
Moderate
Epic Link:
FREEIPA-9612
sprint_count:
3

Pool Team:

sst_idm_ipa
Sub-System Group:

ssg_idm

Dev Target Milestone:
24
Internal Target Milestone:
26
Story Points:
3
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
2024-Q3-Alpha-S3, 2024-Q3-Alpha-S4, 2024-Q3-Alpha-S5

Preliminary Testing:
Pass
Test Link:
https://github.com/freeipa/freeipa/pull/7489
Errata Link:
https://errata.engineering.redhat.com/advisory/133524
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.The `ipa-replica-manage` command no longer resets the `nsslapd-ignore-time-skew` setting during forced replication

Previously, the `ipa-replica-manage` `force-sync` command reset the `nsslapd-ignore-time-skew` setting to `off`, regardless of the configured value. With this update, the `nsslapd-ignore-time-skew` setting is no longer overwritten during forced replication.

Show
.The `ipa-replica-manage` command no longer resets the `nsslapd-ignore-time-skew` setting during forced replication Previously, the `ipa-replica-manage` `force-sync` command reset the `nsslapd-ignore-time-skew` setting to `off`, regardless of the configured value. With this update, the `nsslapd-ignore-time-skew` setting is no longer overwritten during forced replication.
Release Note Status:
Done

Experience:
Architecture:

x86_64
Bugzilla Bug:
RHBZ: 2091631

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
It may happen that the replication time skew gets quite significant in some IPA deployments.
There are lengthy and error-prone steps to reset the time skew:
https://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html

Some customers are happy to enable the LDAP configuration parameter "nsslapd-ignore-time-skew" to let replication flow.
Nonetheless every time the "force-sync" option is used to initiate replication, the "nsslapd-ignore-time-skew" is disabled afterwards.

It would be nice to keep the value configured by IPA administrators.

Version-Release number of selected component (if applicable):
Customer is using IPA 4.6.8-5 on RHEL 7.9

How reproducible:
Always.

Steps to Reproduce:
1. Set "nsslapd-ignore-time-skew" to "on"
2. Run "ipa-replica-manage force-sync"
3. Check the value of "nsslapd-ignore-time-skew". It's now set to "off"

Actual results:
The configured value has been changed after forcing replication.

Expected results:
Customers would like to keep their configured value.

Additional info:
There was an RFE to enable this parameter by default:
https://bugzilla.redhat.com/show_bug.cgi?id=1493150

external trackers

Red Hat Customer Portal 03201118

Red Hat Issue Tracker FREEIPA-8311

Red Hat Issue Tracker RHELPLAN-123671

links to

RHSA-2024:133524 ipa bug fix and enhancement update

Assignee:: Florence Renaud

Reporter:: Têko Mihinto

Developer:: Florence Renaud

QA Contact:: Erik Belko

Doc Contact:: Dominika Borges

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/09/18 6:57 PM

Updated:: 2024/11/08 4:05 PM

Dev Target end:: 2024/08/12

Target end:: 2024/08/26

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates