We are running Openldap 2.4.44 on RHEL6 in a delta-syncrepl MMR configuration. We are using the ppolicy overlay. This setup is resulting in frequent occurrences on the consumers of:
* delta-sync lost * traversal of the entire directory * delta-syncrepl switches back into refreshAndPersist * slapd memory usage increasing
We have found that this behavior is consistently triggered when the operation that is being replicated involves a password change in combination with the removal of ppolicy attributes (e.g. pwdGraceUseTime and pwdFailureTime).
The detailed debugging output associated with such an occurrence is: ------------------------------------------------------------------------------ 58739e68 bdb_modify_internal: replace userPassword 58739e68 bdb_modify_internal: replace pwdChangedTime 58739e68 bdb_modify_internal: softdel pwdGraceUseTime 58739e68 bdb_modify_internal: add pwdHistory 58739e68 bdb_modify_internal: replace entryCSN 58739e68 bdb_modify_internal: replace modifiersName 58739e68 bdb_modify_internal: replace modifyTimestamp 58739e68 bdb_modify_internal: delete pwdGraceUseTime 58739e68 bdb_modify_internal: 16 modify/delete: pwdGraceUseTime: no such attribute ... 58739e68 do_syncrep2: rid=001 delta-sync lost sync on (reqStart=20170109142959.000006Z,cn=log), switching to REFRESH ------------------------------------------------------------------------------
We have submitted OpenLDAP-ITS #8561 with a unit test and a possible patch to the ppolicy overlay.
If anyone else has run into this, we would be interested in any other work- arounds that have been used to address the issue.
Thank you! Beth
------------------------------------------------------------------------- Beth A. Halsema - GSEC, GSSP-Java email:bhalsema@purdue.edu Sofware Engineer, Identity & Access Management OVPIT - IT Security and Policy 3495 Kent Avenue, Suite 100 Fax : (765) 464-2233 West Lafayette, IN 47906 Campus Mail: ROSS
openldap-technical@openldap.org
-
Beth Halsema