#148 Dual winsync paths results in LDAP ADD collision on AD
Closed: wontfix 4 years ago by mreynolds. Opened 12 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=182515

Description of problem:
In a configuration with two DS in MMR (M1 and M2) and two AD in the same domain
(AD1 and AD2), if we configure M1 to sync with AD1 and M2 to sync with AD2, we
have a ring configuration with good availability.  Changes will be available
everywhere even if a server crashes.

However, replication between AD1 and AD2 seems to always lag behind slightly.
If user uid=fbar,o=abc is added to M1, then uid=fbar,o=abc will be added right
away to M2.  Then M1 and M2 will both sync the user (with DN morphed into
CN=foo
bar,o=abc) to their respective AD sync partners.

Here comes the problem.  Sometimes, not always, the sync from M1 to AD1 and the
sync from M2 to AD2 both succeed because of the lag between AD1 and AD2.  This
results in an update collision.  In both AD1 and AD2 we end up with CN=foo
bar,o=abc, and another entry called CN=foo
bar\0ACNF:8ba01336-6466-4495-85c4-54d4bd24549f,o=abc.  And then, because adding
users is a 3 step process (add user, mod password, mod activation flag) the
former is left inactive, while the latter is activated.  I'm not sure which of
them gets the password!

And it doesn't stop there.  Then next time DS calls dirsync on ADS, another cn
will added to uid=fbar,o=abc on M1 and M2 containing
CNF:8ba01336-6466-4495-85c4-54d4bd24549f.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Configure MMR between replicas M1 and M2
2.Configure two AD domain controllers in a single domain, AD1 and AD2
3.Configure sync between M1 and AD1 and M2 and AD2
4.Add some NT users to M1.  Some, but not all, will collide on AD1 and AD2.

Actual results:


Expected results:


Additional info:

batch update moving tickets to future

set default ticket origin to Community

Added initial screened field value.

Metadata Update from @nkinder:
- Issue set to the milestone: FUTURE

7 years ago

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to None (was: Needs Review)
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/148

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata