Blob Blame Raw
From 5d730f7e9f1e857bc886556db0229607b8d536d2 Mon Sep 17 00:00:00 2001
From: tbordaz <tbordaz@redhat.com>
Date: Thu, 6 May 2021 18:54:20 +0200
Subject: [PATCH 01/12] Issue 4747 - Remove unstable/unstatus tests from PRCI
 (#4748)

Bug description:
	Some tests (17) in the tests suite (dirsrvtest/tests/suites)
	are failing although there is no regression.
	It needs (long) investigations to status if failures
	are due to a bug in the tests or in DS core.
	Until those investigations are completes, test suites
	loose a large part of its value to detect regression.
	Indeed those failing tests may hide a real regression.

Fix description:
	Flag failing tests with pytest.mark.flaky(max_runs=2, min_passes=1)
	Additional action will be to create upstream 17 ticket to
	status on each failing tests

relates: https://github.com/389ds/389-ds-base/issues/4747

Reviewed by: Simon Pichugin, Viktor Ashirov (many thanks for your
reviews and help)

Platforms tested: F33
---
 .github/workflows/pytest.yml                  |  84 +++++
 dirsrvtests/tests/suites/acl/keywords_test.py |  16 +-
 .../tests/suites/clu/dsctl_acceptance_test.py |  56 ---
 .../tests/suites/clu/repl_monitor_test.py     |   2 +
 .../dynamic_plugins/dynamic_plugins_test.py   |   8 +-
 .../suites/fourwaymmr/fourwaymmr_test.py      |   3 +-
 .../suites/healthcheck/health_config_test.py  |   1 +
 .../suites/healthcheck/health_sync_test.py    |   2 +
 .../tests/suites/import/import_test.py        |  23 +-
 .../tests/suites/indexes/regression_test.py   |  63 ++++
 .../paged_results/paged_results_test.py       |   3 +-
 .../tests/suites/password/regression_test.py  |   2 +
 .../tests/suites/plugins/accpol_test.py       |  20 +-
 .../suites/plugins/managed_entry_test.py      | 351 ++++++++++++++++++
 .../tests/suites/plugins/memberof_test.py     |   3 +-
 .../suites/replication/cleanallruv_test.py    |   8 +-
 .../suites/replication/encryption_cl5_test.py |   8 +-
 .../tests/suites/retrocl/basic_test.py        | 292 ---------------
 18 files changed, 576 insertions(+), 369 deletions(-)
 create mode 100644 .github/workflows/pytest.yml
 delete mode 100644 dirsrvtests/tests/suites/clu/dsctl_acceptance_test.py
 create mode 100644 dirsrvtests/tests/suites/plugins/managed_entry_test.py
 delete mode 100644 dirsrvtests/tests/suites/retrocl/basic_test.py

diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
new file mode 100644
index 000000000..015794d96
--- /dev/null
+++ b/.github/workflows/pytest.yml
@@ -0,0 +1,84 @@
+name: Test
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    container:
+      image: quay.io/389ds/ci-images:test
+    outputs:
+        matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Get a list of all test suites
+        id: set-matrix
+        run: echo "::set-output name=matrix::$(python3 .github/scripts/generate_matrix.py)"
+
+      - name: Build RPMs
+        run: cd $GITHUB_WORKSPACE && SKIP_AUDIT_CI=1 make -f rpm.mk dist-bz2 rpms
+
+      - name: Tar build artifacts
+        run: tar -cvf dist.tar dist/
+
+      - name: Upload RPMs
+        uses: actions/upload-artifact@v2
+        with:
+          name: rpms
+          path: dist.tar
+
+  test:
+    name: Test
+    runs-on: ubuntu-20.04
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.build.outputs.matrix) }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: Install dependencies
+      run: |
+        sudo apt update -y
+        sudo apt install -y docker.io containerd runc
+
+        sudo cp .github/daemon.json /etc/docker/daemon.json
+
+        sudo systemctl unmask docker
+        sudo systemctl start docker
+
+    - name: Download RPMs
+      uses: actions/download-artifact@master
+      with:
+        name: rpms
+    
+    - name: Extract RPMs
+      run: tar xvf dist.tar
+
+    - name: Run pytest in a container
+      run: |
+        set -x
+        CID=$(sudo docker run -d -h server.example.com --privileged --rm -v /sys/fs/cgroup:/sys/fs/cgroup:rw,rslave -v ${PWD}:/workspace quay.io/389ds/ci-images:test)
+        sudo docker exec $CID sh -c "dnf install -y -v dist/rpms/*rpm"
+        sudo docker exec $CID py.test  --suppress-no-test-exit-code  -m "not flaky" --junit-xml=pytest.xml -v dirsrvtests/tests/suites/${{ matrix.suite }}
+
+    - name: Make the results file readable by all
+      if: always()
+      run:
+        sudo chmod -f a+r pytest.xml
+
+    - name: Sanitize filename
+      run: echo "PYTEST_SUITE=$(echo ${{ matrix.suite }} | sed -e 's#\/#-#g')" >> $GITHUB_ENV
+      
+    - name: Upload pytest test results
+      if: always()
+      uses: actions/upload-artifact@v2
+      with:
+        name: pytest-${{ env.PYTEST_SUITE }}
+        path: pytest.xml
+ 
diff --git a/dirsrvtests/tests/suites/acl/keywords_test.py b/dirsrvtests/tests/suites/acl/keywords_test.py
index 0174152e3..c5e989f3b 100644
--- a/dirsrvtests/tests/suites/acl/keywords_test.py
+++ b/dirsrvtests/tests/suites/acl/keywords_test.py
@@ -216,7 +216,8 @@ def test_user_binds_without_any_password_and_cannot_access_the_data(topo, add_us
     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
         org.replace("seeAlso", "cn=1")
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_user_can_access_the_data_when_connecting_from_any_machine(
         topo, add_user, aci_of_user
 ):
@@ -245,6 +246,8 @@ def test_user_can_access_the_data_when_connecting_from_any_machine(
     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
         topo, add_user, aci_of_user
 ):
@@ -276,7 +279,8 @@ def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
     # Perform Operation
     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_user_can_access_the_data_when_connecting_from_some_network_only(
         topo, add_user, aci_of_user
 ):
@@ -306,7 +310,8 @@ def test_user_can_access_the_data_when_connecting_from_some_network_only(
     # Perform Operation
     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
     """User cannot access the data when connecting from an unauthorized network as per the ACI.
 
@@ -332,7 +337,8 @@ def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
     # Perform Operation
     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
         topo, add_user, aci_of_user):
     """User cannot access the data when connecting from an unauthorized network as per the ACI.
@@ -418,6 +424,8 @@ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
         org.replace("seeAlso", "cn=1")
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 @pytest.mark.ds50378
 @pytest.mark.bz1710848
 @pytest.mark.parametrize("ip_addr", ['127.0.0.1', "[::1]"])
diff --git a/dirsrvtests/tests/suites/clu/dsctl_acceptance_test.py b/dirsrvtests/tests/suites/clu/dsctl_acceptance_test.py
deleted file mode 100644
index a0f89defd..000000000
--- a/dirsrvtests/tests/suites/clu/dsctl_acceptance_test.py
+++ /dev/null
@@ -1,56 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2021 Red Hat, Inc.
-# All rights reserved.
-#
-# License: GPL (version 3 or any later version).
-# See LICENSE for details.
-# --- END COPYRIGHT BLOCK ---
-
-import logging
-import pytest
-import os
-from lib389._constants import *
-from lib389.topologies import topology_st as topo
-
-log = logging.getLogger(__name__)
-
-
-def test_custom_path(topo):
-    """Test that a custom path, backup directory, is correctly used by lib389
-    when the server is stopped.
-
-    :id: 8659e209-ee83-477e-8183-1d2f555669ea
-    :setup: Standalone Instance
-    :steps:
-        1. Get the LDIF directory
-        2. Change the server's backup directory to the LDIF directory
-        3. Stop the server, and perform a backup
-        4. Backup was written to LDIF directory
-    :expectedresults:
-        1. Success
-        2. Success
-        3. Success
-        4. Success
-    """
-
-    # Get LDIF dir
-    ldif_dir = topo.standalone.get_ldif_dir()
-
-    # Set backup directory to LDIF directory
-    topo.standalone.config.replace('nsslapd-bakdir', ldif_dir)
-
-    # Stop the server and take a backup
-    topo.standalone.stop()
-    topo.standalone.db2bak(None)
-
-    # Verify backup was written to LDIF directory
-    backups = os.listdir(ldif_dir)
-    assert len(backups)
-
-
-if __name__ == '__main__':
-    # Run isolated
-    # -s for DEBUG mode
-    CURRENT_FILE = os.path.realpath(__file__)
-    pytest.main(["-s", CURRENT_FILE])
-
diff --git a/dirsrvtests/tests/suites/clu/repl_monitor_test.py b/dirsrvtests/tests/suites/clu/repl_monitor_test.py
index 9428edb26..3cf6343c8 100644
--- a/dirsrvtests/tests/suites/clu/repl_monitor_test.py
+++ b/dirsrvtests/tests/suites/clu/repl_monitor_test.py
@@ -90,6 +90,8 @@ def get_hostnames_from_log(port1, port2):
         host_m2 = match.group(2)
     return (host_m1, host_m2)
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 @pytest.mark.ds50545
 @pytest.mark.bz1739718
 @pytest.mark.skipif(ds_is_older("1.4.0"), reason="Not implemented")
diff --git a/dirsrvtests/tests/suites/dynamic_plugins/dynamic_plugins_test.py b/dirsrvtests/tests/suites/dynamic_plugins/dynamic_plugins_test.py
index b61daed74..7558cc03d 100644
--- a/dirsrvtests/tests/suites/dynamic_plugins/dynamic_plugins_test.py
+++ b/dirsrvtests/tests/suites/dynamic_plugins/dynamic_plugins_test.py
@@ -68,7 +68,8 @@ def check_replicas(topology_m2):
 
     log.info('Data is consistent across the replicas.\n')
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_acceptance(topology_m2):
     """Exercise each plugin and its main features, while
     changing the configuration without restarting the server.
@@ -140,7 +141,8 @@ def test_acceptance(topology_m2):
     ############################################################################
     check_replicas(topology_m2)
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_memory_corruption(topology_m2):
     """Check the plugins for memory corruption issues while
     dynamic plugins option is enabled
@@ -242,6 +244,8 @@ def test_memory_corruption(topology_m2):
     ############################################################################
     check_replicas(topology_m2)
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 @pytest.mark.tier2
 def test_stress(topology_m2):
     """Test plugins while under a big load. Perform the test 5 times
diff --git a/dirsrvtests/tests/suites/fourwaymmr/fourwaymmr_test.py b/dirsrvtests/tests/suites/fourwaymmr/fourwaymmr_test.py
index 5b0754a2e..c5a746ebb 100644
--- a/dirsrvtests/tests/suites/fourwaymmr/fourwaymmr_test.py
+++ b/dirsrvtests/tests/suites/fourwaymmr/fourwaymmr_test.py
@@ -144,7 +144,8 @@ def test_delete_a_few_entries_in_m4(topo_m4, _cleanupentris):
         topo_m4.ms["supplier4"], topo_m4.ms["supplier3"], 30
     )
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_replicated_multivalued_entries(topo_m4):
     """
     Replicated multivalued entries are ordered the same way on all consumers
diff --git a/dirsrvtests/tests/suites/healthcheck/health_config_test.py b/dirsrvtests/tests/suites/healthcheck/health_config_test.py
index 3d102e859..f470c05c6 100644
--- a/dirsrvtests/tests/suites/healthcheck/health_config_test.py
+++ b/dirsrvtests/tests/suites/healthcheck/health_config_test.py
@@ -337,6 +337,7 @@ def test_healthcheck_low_disk_space(topology_st):
     os.remove(file)
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 @pytest.mark.ds50791
 @pytest.mark.bz1843567
 @pytest.mark.xfail(ds_is_older("1.4.3.8"), reason="Not implemented")
diff --git a/dirsrvtests/tests/suites/healthcheck/health_sync_test.py b/dirsrvtests/tests/suites/healthcheck/health_sync_test.py
index 75bbfd35c..74df1b322 100644
--- a/dirsrvtests/tests/suites/healthcheck/health_sync_test.py
+++ b/dirsrvtests/tests/suites/healthcheck/health_sync_test.py
@@ -70,6 +70,8 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searc
 @pytest.mark.ds50873
 @pytest.mark.bz1685160
 @pytest.mark.xfail(ds_is_older("1.4.1"), reason="Not implemented")
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_healthcheck_replication_out_of_sync_not_broken(topology_m3):
     """Check if HealthCheck returns DSREPLLE0003 code
 
diff --git a/dirsrvtests/tests/suites/import/import_test.py b/dirsrvtests/tests/suites/import/import_test.py
index defe447d5..119b097f1 100644
--- a/dirsrvtests/tests/suites/import/import_test.py
+++ b/dirsrvtests/tests/suites/import/import_test.py
@@ -14,6 +14,7 @@ import os
 import pytest
 import time
 import glob
+import logging
 from lib389.topologies import topology_st as topo
 from lib389._constants import DEFAULT_SUFFIX, TaskWarning
 from lib389.dbgen import dbgen_users
@@ -28,6 +29,12 @@ from lib389.idm.account import Accounts
 
 pytestmark = pytest.mark.tier1
 
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+    logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
 
 def _generate_ldif(topo, no_no):
     """
@@ -349,7 +356,8 @@ def _toggle_private_import_mem(request, topo):
             ('nsslapd-db-private-import-mem', 'off'))
     request.addfinalizer(finofaci)
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_fast_slow_import(topo, _toggle_private_import_mem, _import_clean):
     """With nsslapd-db-private-import-mem: on is faster import.
 
@@ -381,16 +389,19 @@ def test_fast_slow_import(topo, _toggle_private_import_mem, _import_clean):
     # Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0
     config = LDBMConfig(topo.standalone)
     # Measure offline import time duration total_time1
-    total_time1 = _import_offline(topo, 20)
+    total_time1 = _import_offline(topo, 1000)
     # Now nsslapd-db-private-import-mem:off
     config.replace('nsslapd-db-private-import-mem', 'off')
     accounts = Accounts(topo.standalone, DEFAULT_SUFFIX)
     for i in accounts.filter('(uid=*)'):
         UserAccount(topo.standalone, i.dn).delete()
     # Measure offline import time duration total_time2
-    total_time2 = _import_offline(topo, 20)
+    total_time2 = _import_offline(topo, 1000)
     # total_time1 < total_time2
+    log.info("total_time1 = %f" % total_time1)
+    log.info("total_time2 = %f" % total_time2)
     assert total_time1 < total_time2
+
     # Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1
     config.replace_many(
         ('nsslapd-db-private-import-mem', 'on'),
@@ -398,14 +409,16 @@ def test_fast_slow_import(topo, _toggle_private_import_mem, _import_clean):
     for i in accounts.filter('(uid=*)'):
         UserAccount(topo.standalone, i.dn).delete()
     # Measure offline import time duration total_time1
-    total_time1 = _import_offline(topo, 20)
+    total_time1 = _import_offline(topo, 1000)
     # Now nsslapd-db-private-import-mem:off
     config.replace('nsslapd-db-private-import-mem', 'off')
     for i in accounts.filter('(uid=*)'):
         UserAccount(topo.standalone, i.dn).delete()
     # Measure offline import time duration total_time2
-    total_time2 = _import_offline(topo, 20)
+    total_time2 = _import_offline(topo, 1000)
     # total_time1 < total_time2
+    log.info("toral_time1 = %f" % total_time1)
+    log.info("total_time2 = %f" % total_time2)
     assert total_time1 < total_time2
 
 
diff --git a/dirsrvtests/tests/suites/indexes/regression_test.py b/dirsrvtests/tests/suites/indexes/regression_test.py
index 1a71f16e9..ed0c8885f 100644
--- a/dirsrvtests/tests/suites/indexes/regression_test.py
+++ b/dirsrvtests/tests/suites/indexes/regression_test.py
@@ -19,6 +19,68 @@ from lib389.topologies import topology_st as topo
 pytestmark = pytest.mark.tier1
 
 
+@pytest.fixture(scope="function")
+def add_a_group_with_users(request, topo):
+    """
+    Add a group and users, which are members of this group.
+    """
+    groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None)
+    group = groups.create(properties={'cn': 'test_group'})
+    users_list = []
+    users_num = 100
+    users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
+    for num in range(users_num):
+        USER_NAME = f'test_{num}'
+        user = users.create(properties={
+            'uid': USER_NAME,
+            'sn': USER_NAME,
+            'cn': USER_NAME,
+            'uidNumber': f'{num}',
+            'gidNumber': f'{num}',
+            'homeDirectory': f'/home/{USER_NAME}'
+        })
+        users_list.append(user)
+        group.add_member(user.dn)
+
+    def fin():
+        """
+        Removes group and users.
+        """
+        # If the server crashed, start it again to do the cleanup
+        if not topo.standalone.status():
+            topo.standalone.start()
+        for user in users_list:
+            user.delete()
+        group.delete()
+
+    request.addfinalizer(fin)
+
+
+@pytest.fixture(scope="function")
+def set_small_idlistscanlimit(request, topo):
+    """
+    Set nsslapd-idlistscanlimit to a smaller value to accelerate the reproducer
+    """
+    db_cfg = DatabaseConfig(topo.standalone)
+    old_idlistscanlimit = db_cfg.get_attr_vals_utf8('nsslapd-idlistscanlimit')
+    db_cfg.set([('nsslapd-idlistscanlimit', '100')])
+    topo.standalone.restart()
+
+    def fin():
+        """
+        Set nsslapd-idlistscanlimit back to the default value
+        """
+        # If the server crashed, start it again to do the cleanup
+        if not topo.standalone.status():
+            topo.standalone.start()
+        db_cfg.set([('nsslapd-idlistscanlimit', old_idlistscanlimit)])
+        topo.standalone.restart()
+
+    request.addfinalizer(fin)
+
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
+@pytest.mark.skipif(ds_is_older("1.4.4.4"), reason="Not implemented")
 def test_reindex_task_creates_abandoned_index_file(topo):
     """
     Recreating an index for the same attribute but changing
@@ -123,3 +185,4 @@ if __name__ == "__main__":
     # -s for DEBUG mode
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/dirsrvtests/tests/suites/paged_results/paged_results_test.py b/dirsrvtests/tests/suites/paged_results/paged_results_test.py
index 9fdceb165..0b45b7d96 100644
--- a/dirsrvtests/tests/suites/paged_results/paged_results_test.py
+++ b/dirsrvtests/tests/suites/paged_results/paged_results_test.py
@@ -506,7 +506,8 @@ def test_search_with_timelimit(topology_st, create_user):
     finally:
         del_users(users_list)
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 @pytest.mark.parametrize('aci_subject',
                          ('dns = "{}"'.format(HOSTNAME),
                           'ip = "{}"'.format(IP_ADDRESS)))
diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
index 251834421..8f1facb6d 100644
--- a/dirsrvtests/tests/suites/password/regression_test.py
+++ b/dirsrvtests/tests/suites/password/regression_test.py
@@ -215,6 +215,8 @@ def test_global_vs_local(topo, passw_policy, create_user, user_pasw):
     # reset password
     create_user.set('userPassword', PASSWORD)
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 @pytest.mark.ds49789
 def test_unhashed_pw_switch(topo_supplier):
     """Check that nsslapd-unhashed-pw-switch works corrently
diff --git a/dirsrvtests/tests/suites/plugins/accpol_test.py b/dirsrvtests/tests/suites/plugins/accpol_test.py
index 73e2e54d1..77975c747 100644
--- a/dirsrvtests/tests/suites/plugins/accpol_test.py
+++ b/dirsrvtests/tests/suites/plugins/accpol_test.py
@@ -520,7 +520,8 @@ def test_glinact_limit(topology_st, accpol_global):
     modify_attr(topology_st, ACCP_CONF, 'accountInactivityLimit', '12')
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glnologin_attr(topology_st, accpol_global):
     """Verify if user account is inactivated based on createTimeStamp attribute, no lastLoginTime attribute present
 
@@ -610,7 +611,8 @@ def test_glnologin_attr(topology_st, accpol_global):
     account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Enabled")
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glnoalt_stattr(topology_st, accpol_global):
     """Verify if user account can be inactivated based on lastLoginTime attribute, altstateattrname set to 1.1
 
@@ -656,6 +658,8 @@ def test_glnoalt_stattr(topology_st, accpol_global):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glattr_modtime(topology_st, accpol_global):
     """Verify if user account can be inactivated based on modifyTimeStamp attribute
 
@@ -705,6 +709,8 @@ def test_glattr_modtime(topology_st, accpol_global):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glnoalt_nologin(topology_st, accpol_global):
     """Verify if account policy plugin works if we set altstateattrname set to 1.1 and alwaysrecordlogin to NO
 
@@ -763,6 +769,8 @@ def test_glnoalt_nologin(topology_st, accpol_global):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glinact_nsact(topology_st, accpol_global):
     """Verify if user account can be activated using ns-activate.pl script.
 
@@ -812,6 +820,8 @@ def test_glinact_nsact(topology_st, accpol_global):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glinact_acclock(topology_st, accpol_global):
     """Verify if user account is activated when account is unlocked by passwordlockoutduration.
 
@@ -868,6 +878,8 @@ def test_glinact_acclock(topology_st, accpol_global):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_glnact_pwexp(topology_st, accpol_global):
     """Verify if user account is activated when password is reset after password is expired
 
@@ -951,6 +963,8 @@ def test_glnact_pwexp(topology_st, accpol_global):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_locact_inact(topology_st, accpol_local):
     """Verify if user account is inactivated when accountInactivityLimit is exceeded.
 
@@ -995,6 +1009,8 @@ def test_locact_inact(topology_st, accpol_local):
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_locinact_modrdn(topology_st, accpol_local):
     """Verify if user account is inactivated when moved from ou=groups to ou=people subtree.
 
diff --git a/dirsrvtests/tests/suites/plugins/managed_entry_test.py b/dirsrvtests/tests/suites/plugins/managed_entry_test.py
new file mode 100644
index 000000000..662044ccd
--- /dev/null
+++ b/dirsrvtests/tests/suites/plugins/managed_entry_test.py
@@ -0,0 +1,351 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2020 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import pytest
+import time
+from lib389.topologies import topology_st as topo
+from lib389.idm.user import UserAccount, UserAccounts
+from lib389.idm.account import Account, Accounts
+from lib389._constants import DEFAULT_SUFFIX
+from lib389.idm.group import Groups
+from lib389.config import Config
+from lib389.idm.organizationalunit import OrganizationalUnits, OrganizationalUnit
+from lib389.plugins import MEPTemplates, MEPConfigs, ManagedEntriesPlugin, MEPTemplate
+from lib389.idm.nscontainer import nsContainers
+from lib389.idm.domain import Domain
+from lib389.tasks import Entry
+import ldap
+
+pytestmark = pytest.mark.tier1
+USER_PASSWORD = 'password'
+
+
+@pytest.fixture(scope="module")
+def _create_inital(topo):
+    """
+    Will create entries for this module
+    """
+    meps = MEPTemplates(topo.standalone, DEFAULT_SUFFIX)
+    mep_template1 = meps.create(
+        properties={'cn': 'UPG Template', 'mepRDNAttr': 'cn', 'mepStaticAttr': 'objectclass: posixGroup',
+                    'mepMappedAttr': 'cn: $uid|gidNumber: $gidNumber|description: User private group for $uid'.split(
+                        '|')})
+    conf_mep = MEPConfigs(topo.standalone)
+    conf_mep.create(properties={'cn': 'UPG Definition1', 'originScope': f'cn=Users,{DEFAULT_SUFFIX}',
+                                             'originFilter': 'objectclass=posixaccount',
+                                             'managedBase': f'cn=Groups,{DEFAULT_SUFFIX}',
+                                             'managedTemplate': mep_template1.dn})
+    container = nsContainers(topo.standalone, DEFAULT_SUFFIX)
+    for cn in ['Users', 'Groups']:
+        container.create(properties={'cn': cn})
+
+
+def test_binddn_tracking(topo, _create_inital):
+    """Test Managed Entries basic functionality
+
+    :id: ea2ddfd4-aaec-11ea-8416-8c16451d917b
+    :setup: Standalone Instance
+    :steps:
+        1. Set nsslapd-plugin-binddn-tracking attribute under cn=config
+        2. Add user
+        3. Managed Entry Plugin runs against managed entries upon any update without validating
+        4. verify creation of User Private Group with its time stamp value
+        5. Modify the SN attribute which is not mapped with managed entry
+        6. run ModRDN operation and check the User Private group
+        7. Check the time stamp of UPG should be changed now
+        8. Check the creatorsname should be user dn and internalCreatorsname should be plugin name
+        9. Check if a managed group entry was created
+    :expected results:
+        1. Success
+        2. Success
+        3. Success
+        4. Success
+        5. Success
+        6. Success
+        7. Success
+        8. Success
+        9. Success
+    """
+    config = Config(topo.standalone)
+    # set nsslapd-plugin-binddn-tracking attribute under cn=config
+    config.replace('nsslapd-plugin-binddn-tracking', 'on')
+    # Add user
+    user = UserAccounts(topo.standalone, f'cn=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'cn=test_user_1000,cn=Groups,{DEFAULT_SUFFIX}'
+    entry = Account(topo.standalone, f'cn=test_user_1000,cn=Groups,{DEFAULT_SUFFIX}')
+    # Managed Entry Plugin runs against managed entries upon any update without validating
+    # verify creation of User Private Group with its time stamp value
+    stamp1 = entry.get_attr_val_utf8('modifyTimestamp')
+    user.replace('sn', 'NewSN_modified')
+    stamp2 = entry.get_attr_val_utf8('modifyTimestamp')
+    # Modify the SN attribute which is not mapped with managed entry
+    # Check the time stamp of UPG should not be changed
+    assert stamp1 == stamp2
+    time.sleep(1)
+    # run ModRDN operation and check the User Private group
+    user.rename(new_rdn='uid=UserNewRDN', newsuperior='cn=Users,dc=example,dc=com')
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'cn=UserNewRDN,cn=Groups,{DEFAULT_SUFFIX}'
+    entry = Account(topo.standalone, f'cn=UserNewRDN,cn=Groups,{DEFAULT_SUFFIX}')
+    stamp3 = entry.get_attr_val_utf8('modifyTimestamp')
+    # Check the time stamp of UPG should be changed now
+    assert stamp2 != stamp3
+    time.sleep(1)
+    user.replace('gidNumber', '1')
+    stamp4 = entry.get_attr_val_utf8('modifyTimestamp')
+    assert stamp4 != stamp3
+    # Check the creatorsname should be user dn and internalCreatorsname should be plugin name
+    assert entry.get_attr_val_utf8('creatorsname') == 'cn=directory manager'
+    assert entry.get_attr_val_utf8('internalCreatorsname') == 'cn=Managed Entries,cn=plugins,cn=config'
+    assert entry.get_attr_val_utf8('modifiersname') == 'cn=directory manager'
+    user.delete()
+    config.replace('nsslapd-plugin-binddn-tracking', 'off')
+
+
+class WithObjectClass(Account):
+    def __init__(self, instance, dn=None):
+        super(WithObjectClass, self).__init__(instance, dn)
+        self._rdn_attribute = 'uid'
+        self._create_objectclasses = ['top', 'person', 'inetorgperson']
+
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
+def test_mentry01(topo, _create_inital):
+    """Test Managed Entries basic functionality
+
+    :id: 9b87493b-0493-46f9-8364-6099d0e5d806
+    :setup: Standalone Instance
+    :steps:
+        1. Check the plug-in status
+        2. Add Template and definition entry
+        3. Add our org units
+        4. Add users with PosixAccount ObjectClass and verify creation of User Private Group
+        5. Disable the plug-in and check the status
+        6. Enable the plug-in and check the status the plug-in is disabled and creation of UPG should fail
+        7. Add users with PosixAccount ObjectClass and verify creation of User Private Group
+        8. Add users, run ModRDN operation and check the User Private group
+        9. Add users, run LDAPMODIFY to change the gidNumber and check the User Private group
+        10. Checking whether creation of User Private group fails for existing group entry
+        11. Checking whether adding of posixAccount objectClass to existing user creates UPG
+        12. Running ModRDN operation and checking the user private groups mepManagedBy attribute
+        13. Deleting mepManagedBy attribute and running ModRDN operation to check if it creates a new UPG
+        14. Change the RDN of template entry, DSA Unwilling to perform error expected
+        15. Change the RDN of cn=Users to cn=TestUsers and check UPG are deleted
+    :expected results:
+        1. Success
+        2. Success
+        3. Success
+        4. Success
+        5. Success
+        6. Success
+        7. Success
+        8. Success
+        9. Success
+        10. Success
+        11. Success
+        12. Success
+        13. Success
+        14. Fail(Unwilling to perform )
+        15. Success
+    """
+    # Check the plug-in status
+    mana = ManagedEntriesPlugin(topo.standalone)
+    assert mana.status()
+    # Add Template and definition entry
+    org1 = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'Users'})
+    org2 = OrganizationalUnit(topo.standalone, f'ou=Groups,{DEFAULT_SUFFIX}')
+    meps = MEPTemplates(topo.standalone, DEFAULT_SUFFIX)
+    mep_template1 = meps.create(properties={
+        'cn': 'UPG Template1',
+        'mepRDNAttr': 'cn',
+        'mepStaticAttr': 'objectclass: posixGroup',
+        'mepMappedAttr': 'cn: $uid|gidNumber: $gidNumber|description: User private group for $uid'.split('|')})
+    conf_mep = MEPConfigs(topo.standalone)
+    mep_config = conf_mep.create(properties={
+        'cn': 'UPG Definition2',
+        'originScope': org1.dn,
+        'originFilter': 'objectclass=posixaccount',
+        'managedBase': org2.dn,
+        'managedTemplate': mep_template1.dn})
+    # Add users with PosixAccount ObjectClass and verify creation of User Private Group
+    user = UserAccounts(topo.standalone, f'ou=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'cn=test_user_1000,ou=Groups,{DEFAULT_SUFFIX}'
+    # Disable the plug-in and check the status
+    mana.disable()
+    user.delete()
+    topo.standalone.restart()
+    # Add users with PosixAccount ObjectClass when the plug-in is disabled and creation of UPG should fail
+    user = UserAccounts(topo.standalone, f'ou=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    assert not user.get_attr_val_utf8('mepManagedEntry')
+    # Enable the plug-in and check the status
+    mana.enable()
+    user.delete()
+    topo.standalone.restart()
+    # Add users with PosixAccount ObjectClass and verify creation of User Private Group
+    user = UserAccounts(topo.standalone, f'ou=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'cn=test_user_1000,ou=Groups,{DEFAULT_SUFFIX}'
+    # Add users, run ModRDN operation and check the User Private group
+    # Add users, run LDAPMODIFY to change the gidNumber and check the User Private group
+    user.rename(new_rdn='uid=UserNewRDN', newsuperior='ou=Users,dc=example,dc=com')
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'cn=UserNewRDN,ou=Groups,{DEFAULT_SUFFIX}'
+    user.replace('gidNumber', '20209')
+    entry = Account(topo.standalone, f'cn=UserNewRDN,ou=Groups,{DEFAULT_SUFFIX}')
+    assert entry.get_attr_val_utf8('gidNumber') == '20209'
+    user.replace_many(('sn', 'new_modified_sn'), ('gidNumber', '31309'))
+    assert entry.get_attr_val_utf8('gidNumber') == '31309'
+    user.delete()
+    # Checking whether creation of User Private group fails for existing group entry
+    grp = Groups(topo.standalone, f'ou=Groups,{DEFAULT_SUFFIX}', rdn=None).create(properties={'cn': 'MENTRY_14'})
+    user = UserAccounts(topo.standalone, f'ou=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    with pytest.raises(ldap.NO_SUCH_OBJECT):
+        entry.status()
+    user.delete()
+    # Checking whether adding of posixAccount objectClass to existing user creates UPG
+    # Add Users without posixAccount objectClass
+    users = WithObjectClass(topo.standalone, f'uid=test_test, ou=Users,{DEFAULT_SUFFIX}')
+    user_properties1 = {'uid': 'test_test', 'cn': 'test', 'sn': 'test', 'mail': 'sasa@sasa.com', 'telephoneNumber': '123'}
+    user = users.create(properties=user_properties1)
+    assert not user.get_attr_val_utf8('mepManagedEntry')
+    # Add posixAccount objectClass
+    user.replace_many(('objectclass', ['top', 'person', 'inetorgperson', 'posixAccount']),
+                      ('homeDirectory', '/home/ok'),
+                      ('uidNumber', '61603'), ('gidNumber', '61603'))
+    assert not user.get_attr_val_utf8('mepManagedEntry')
+    user = UserAccounts(topo.standalone, f'ou=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    entry = Account(topo.standalone, 'cn=test_user_1000,ou=Groups,dc=example,dc=com')
+    # Add inetuser objectClass
+    user.replace_many(
+        ('objectclass', ['top', 'account', 'posixaccount', 'inetOrgPerson',
+                         'organizationalPerson', 'nsMemberOf', 'nsAccount',
+                         'person', 'mepOriginEntry', 'inetuser']),
+        ('memberOf', entry.dn))
+    assert entry.status()
+    user.delete()
+    user = UserAccounts(topo.standalone, f'ou=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user()
+    entry = Account(topo.standalone, 'cn=test_user_1000,ou=Groups,dc=example,dc=com')
+    # Add groupofNames objectClass
+    user.replace_many(
+        ('objectclass', ['top', 'account', 'posixaccount', 'inetOrgPerson',
+                         'organizationalPerson', 'nsMemberOf', 'nsAccount',
+                         'person', 'mepOriginEntry', 'groupofNames']),
+        ('memberOf', user.dn))
+    assert entry.status()
+    # Running ModRDN operation and checking the user private groups mepManagedBy attribute
+    user.replace('mepManagedEntry', f'uid=CheckModRDN,ou=Users,{DEFAULT_SUFFIX}')
+    user.rename(new_rdn='uid=UserNewRDN', newsuperior='ou=Users,dc=example,dc=com')
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'uid=CheckModRDN,ou=Users,{DEFAULT_SUFFIX}'
+    # Deleting mepManagedBy attribute and running ModRDN operation to check if it creates a new UPG
+    user.remove('mepManagedEntry', f'uid=CheckModRDN,ou=Users,{DEFAULT_SUFFIX}')
+    user.rename(new_rdn='uid=UserNewRDN1', newsuperior='ou=Users,dc=example,dc=com')
+    assert user.get_attr_val_utf8('mepManagedEntry') == f'cn=UserNewRDN1,ou=Groups,{DEFAULT_SUFFIX}'
+    # Change the RDN of template entry, DSA Unwilling to perform error expected
+    mep = MEPTemplate(topo.standalone, f'cn=UPG Template,{DEFAULT_SUFFIX}')
+    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+        mep.rename(new_rdn='cn=UPG Template2', newsuperior='dc=example,dc=com')
+    # Change the RDN of cn=Users to cn=TestUsers and check UPG are deleted
+    before = user.get_attr_val_utf8('mepManagedEntry')
+    user.rename(new_rdn='uid=Anuj', newsuperior='ou=Users,dc=example,dc=com')
+    assert user.get_attr_val_utf8('mepManagedEntry') != before
+
+
+def test_managed_entry_removal(topo):
+    """Check that we can't remove managed entry manually
+
+    :id: cf9c5be5-97ef-46fc-b199-8346acf4c296
+    :setup: Standalone Instance
+    :steps:
+        1. Enable the plugin
+        2. Restart the instance
+        3. Add our org units
+        4. Set up config entry and template entry for the org units
+        5. Add an entry that meets the MEP scope
+        6. Check if a managed group entry was created
+        7. Try to remove the entry while bound as Admin (non-DM)
+        8. Remove the entry while bound as DM
+        9. Check that the managing entry can be deleted too
+    :expectedresults:
+        1. Success
+        2. Success
+        3. Success
+        4. Success
+        5. Success
+        6. Success
+        7. Should fail
+        8. Success
+        9. Success
+    """
+
+    inst = topo.standalone
+
+    # Add ACI so we can test that non-DM user can't delete managed entry
+    domain = Domain(inst, DEFAULT_SUFFIX)
+    ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
+    ACI_TARGETATTR = "(targetattr = *)"
+    ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
+    ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
+    ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
+    domain.add('aci', ACI_BODY)
+
+    # stop the plugin, and start it
+    plugin = ManagedEntriesPlugin(inst)
+    plugin.disable()
+    plugin.enable()
+
+    # Add our org units
+    ous = OrganizationalUnits(inst, DEFAULT_SUFFIX)
+    ou_people = ous.create(properties={'ou': 'managed_people'})
+    ou_groups = ous.create(properties={'ou': 'managed_groups'})
+
+    mep_templates = MEPTemplates(inst, DEFAULT_SUFFIX)
+    mep_template1 = mep_templates.create(properties={
+        'cn': 'MEP template',
+        'mepRDNAttr': 'cn',
+        'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split('|'),
+        'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
+    })
+    mep_configs = MEPConfigs(inst)
+    mep_configs.create(properties={'cn': 'config',
+                                   'originScope': ou_people.dn,
+                                   'originFilter': 'objectclass=posixAccount',
+                                   'managedBase': ou_groups.dn,
+                                   'managedTemplate': mep_template1.dn})
+    inst.restart()
+
+    # Add an entry that meets the MEP scope
+    test_users_m1 = UserAccounts(inst, DEFAULT_SUFFIX, rdn='ou={}'.format(ou_people.rdn))
+    managing_entry = test_users_m1.create_test_user(1001)
+    managing_entry.reset_password(USER_PASSWORD)
+    user_bound_conn = managing_entry.bind(USER_PASSWORD)
+
+    # Get the managed entry
+    managed_groups = Groups(inst, ou_groups.dn, rdn=None)
+    managed_entry = managed_groups.get(managing_entry.rdn)
+
+    # Check that the managed entry was created
+    assert managed_entry.exists()
+
+    # Try to remove the entry while bound as Admin (non-DM)
+    managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
+    managed_entry_user_conn = managed_groups_user_conn.get(managed_entry.rdn)
+    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+        managed_entry_user_conn.delete()
+    assert managed_entry_user_conn.exists()
+
+    # Remove the entry while bound as DM
+    managed_entry.delete()
+    assert not managed_entry.exists()
+
+    # Check that the managing entry can be deleted too
+    managing_entry.delete()
+    assert not managing_entry.exists()
+
+
+if __name__ == '__main__':
+    # Run isolated
+    # -s for DEBUG mode
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main("-s %s" % CURRENT_FILE)
diff --git a/dirsrvtests/tests/suites/plugins/memberof_test.py b/dirsrvtests/tests/suites/plugins/memberof_test.py
index bc99eef7d..d3b32c856 100644
--- a/dirsrvtests/tests/suites/plugins/memberof_test.py
+++ b/dirsrvtests/tests/suites/plugins/memberof_test.py
@@ -2655,7 +2655,8 @@ def test_complex_group_scenario_9(topology_st):
     verify_post_025(topology_st, memofegrp020_1, memofegrp020_2, memofegrp020_3, memofegrp020_4, memofegrp020_5,
                     memofuser1, memofuser2, memofuser3, memofuser4)
 
-
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_memberof_auto_add_oc(topology_st):
     """Test the auto add objectclass (OC) feature. The plugin should add a predefined
     objectclass that will allow memberOf to be added to an entry.
diff --git a/dirsrvtests/tests/suites/replication/cleanallruv_test.py b/dirsrvtests/tests/suites/replication/cleanallruv_test.py
index 5610e3c19..f0cd99cfc 100644
--- a/dirsrvtests/tests/suites/replication/cleanallruv_test.py
+++ b/dirsrvtests/tests/suites/replication/cleanallruv_test.py
@@ -223,7 +223,7 @@ def test_clean(topology_m4, m4rid):
 
     log.info('test_clean PASSED, restoring supplier 4...')
 
-
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_clean_restart(topology_m4, m4rid):
     """Check that cleanallruv task works properly after a restart
 
@@ -295,6 +295,7 @@ def test_clean_restart(topology_m4, m4rid):
     log.info('test_clean_restart PASSED, restoring supplier 4...')
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_clean_force(topology_m4, m4rid):
     """Check that multiple tasks with a 'force' option work properly
 
@@ -353,6 +354,7 @@ def test_clean_force(topology_m4, m4rid):
     log.info('test_clean_force PASSED, restoring supplier 4...')
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_abort(topology_m4, m4rid):
     """Test the abort task basic functionality
 
@@ -408,6 +410,7 @@ def test_abort(topology_m4, m4rid):
     log.info('test_abort PASSED, restoring supplier 4...')
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_abort_restart(topology_m4, m4rid):
     """Test the abort task can handle a restart, and then resume
 
@@ -486,6 +489,7 @@ def test_abort_restart(topology_m4, m4rid):
     log.info('test_abort_restart PASSED, restoring supplier 4...')
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_abort_certify(topology_m4, m4rid):
     """Test the abort task with a replica-certify-all option
 
@@ -555,6 +559,7 @@ def test_abort_certify(topology_m4, m4rid):
     log.info('test_abort_certify PASSED, restoring supplier 4...')
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_stress_clean(topology_m4, m4rid):
     """Put each server(m1 - m4) under a stress, and perform the entire clean process
 
@@ -641,6 +646,7 @@ def test_stress_clean(topology_m4, m4rid):
     ldbm_config.set('nsslapd-readonly', 'off')
 
 
+@pytest.mark.flaky(max_runs=2, min_passes=1)
 def test_multiple_tasks_with_force(topology_m4, m4rid):
     """Check that multiple tasks with a 'force' option work properly
 
diff --git a/dirsrvtests/tests/suites/replication/encryption_cl5_test.py b/dirsrvtests/tests/suites/replication/encryption_cl5_test.py
index 7ae7e1b13..b69863f53 100644
--- a/dirsrvtests/tests/suites/replication/encryption_cl5_test.py
+++ b/dirsrvtests/tests/suites/replication/encryption_cl5_test.py
@@ -73,10 +73,10 @@ def _check_unhashed_userpw_encrypted(inst, change_type, user_dn, user_pw, is_enc
                 assert user_pw_attr in entry, 'Changelog entry does not contain clear text password'
     assert count, 'Operation type and DN of the entry not matched in changelog'
 
-
-@pytest.mark.parametrize("encryption", ["AES", "3DES"])
-def test_algorithm_unhashed(topology_with_tls, encryption):
-    """Check encryption algowithm AES and 3DES.
+#unstable or unstatus tests, skipped for now
+@pytest.mark.flaky(max_runs=2, min_passes=1)
+def test_algorithm_unhashed(topology_with_tls):
+    """Check encryption algorithm AES
     And check unhashed#user#password attribute for encryption.
 
     :id: b7a37bf8-4b2e-4dbd-9891-70117d67558c
diff --git a/dirsrvtests/tests/suites/retrocl/basic_test.py b/dirsrvtests/tests/suites/retrocl/basic_test.py
deleted file mode 100644
index 112c73cb9..000000000
--- a/dirsrvtests/tests/suites/retrocl/basic_test.py
+++ /dev/null
@@ -1,292 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2021 Red Hat, Inc.
-# All rights reserved.
-#
-# License: GPL (version 3 or any later version).
-# See LICENSE for details.
-# --- END COPYRIGHT BLOCK ---
-
-import logging
-import ldap
-import time
-import pytest
-from lib389.topologies import topology_st
-from lib389.plugins import RetroChangelogPlugin
-from lib389._constants import *
-from lib389.utils import *
-from lib389.tasks import *
-from lib389.cli_base import FakeArgs, connect_instance, disconnect_instance
-from lib389.cli_base.dsrc import dsrc_arg_concat
-from lib389.cli_conf.plugins.retrochangelog import retrochangelog_add
-from lib389.idm.user import UserAccount, UserAccounts, nsUserAccounts
-
-pytestmark = pytest.mark.tier1
-
-USER1_DN = 'uid=user1,ou=people,'+ DEFAULT_SUFFIX
-USER2_DN = 'uid=user2,ou=people,'+ DEFAULT_SUFFIX
-USER_PW = 'password'
-ATTR_HOMEPHONE = 'homePhone'
-ATTR_CARLICENSE = 'carLicense'
-
-log = logging.getLogger(__name__)
-
-def test_retrocl_exclude_attr_add(topology_st):
-    """ Test exclude attribute feature of the retrocl plugin for add operation
-
-    :id: 3481650f-2070-45ef-9600-2500cfc51559
-
-    :setup: Standalone instance
-
-    :steps:
-        1. Enable dynamic plugins
-        2. Confige retro changelog plugin
-        3. Add an entry
-        4. Ensure entry attrs are in the changelog
-        5. Exclude an attr
-        6. Add another entry
-        7. Ensure excluded attr is not in the changelog
-
-    :expectedresults:
-        1. Success
-        2. Success
-        3. Success
-        4. Success
-        5. Success
-        6. Success
-        7. Success
-    """
-
-    st = topology_st.standalone
-
-    log.info('Enable dynamic plugins')
-    try:
-        st.config.set('nsslapd-dynamic-plugins', 'on')
-    except ldap.LDAPError as e:
-        ldap.error('Failed to enable dynamic plugins ' + e.args[0]['desc'])
-        assert False
-
-    log.info('Configure retrocl plugin')
-    rcl = RetroChangelogPlugin(st)
-    rcl.disable()
-    rcl.enable()
-    rcl.replace('nsslapd-attribute', 'nsuniqueid:targetUniqueId')
-
-    log.info('Restarting instance')
-    try:
-        st.restart()
-    except ldap.LDAPError as e:
-        ldap.error('Failed to restart instance ' + e.args[0]['desc'])
-        assert False
-
-    users = UserAccounts(st, DEFAULT_SUFFIX)
-
-    log.info('Adding user1')
-    try:
-        user1 = users.create(properties={
-            'sn': '1',
-            'cn': 'user 1',
-            'uid': 'user1',
-            'uidNumber': '11',
-            'gidNumber': '111',
-            'givenname': 'user1',
-            'homePhone': '0861234567',
-            'carLicense': '131D16674',
-            'mail': 'user1@whereever.com',
-            'homeDirectory': '/home/user1',
-            'userpassword': USER_PW})
-    except ldap.ALREADY_EXISTS:
-        pass
-    except ldap.LDAPError as e:
-        log.error("Failed to add user1")
-
-    log.info('Verify homePhone and carLicense attrs are in the changelog changestring')
-    try:
-        cllist = st.search_s(RETROCL_SUFFIX, ldap.SCOPE_SUBTREE, '(targetDn=%s)' % USER1_DN)
-    except ldap.LDAPError as e:
-        log.fatal("Changelog search failed, error: " +str(e))
-        assert False
-    assert len(cllist) > 0
-    if  cllist[0].hasAttr('changes'):
-        clstr = (cllist[0].getValue('changes')).decode()
-        assert ATTR_HOMEPHONE in clstr
-        assert ATTR_CARLICENSE in clstr
-
-    log.info('Excluding attribute ' + ATTR_HOMEPHONE)
-    args = FakeArgs()
-    args.connections = [st.host + ':' + str(st.port) + ':' + DN_DM + ':' + PW_DM]
-    args.instance = 'standalone1'
-    args.basedn = None
-    args.binddn = None
-    args.starttls = False
-    args.pwdfile = None
-    args.bindpw = None
-    args.prompt = False
-    args.exclude_attrs = ATTR_HOMEPHONE
-    args.func = retrochangelog_add
-    dsrc_inst = dsrc_arg_concat(args, None)
-    inst = connect_instance(dsrc_inst, False, args)
-    result = args.func(inst, None, log, args)
-    disconnect_instance(inst)
-    assert result is None
-
-    log.info("5s delay for retrocl plugin to restart")
-    time.sleep(5)
-
-    log.info('Adding user2')
-    try:
-        user2 = users.create(properties={
-            'sn': '2',
-            'cn': 'user 2',
-            'uid': 'user2',
-            'uidNumber': '22',
-            'gidNumber': '222',
-            'givenname': 'user2',
-            'homePhone': '0879088363',
-            'carLicense': '04WX11038',
-            'mail': 'user2@whereever.com',
-            'homeDirectory': '/home/user2',
-            'userpassword': USER_PW})
-    except ldap.ALREADY_EXISTS:
-        pass
-    except ldap.LDAPError as e:
-        log.error("Failed to add user2")
-
-    log.info('Verify homePhone attr is not in the changelog changestring')
-    try:
-        cllist = st.search_s(RETROCL_SUFFIX, ldap.SCOPE_SUBTREE, '(targetDn=%s)' % USER2_DN)
-        assert len(cllist) > 0
-        if  cllist[0].hasAttr('changes'):
-            clstr = (cllist[0].getValue('changes')).decode()
-            assert ATTR_HOMEPHONE not in clstr
-            assert ATTR_CARLICENSE in clstr
-    except ldap.LDAPError as e:
-        log.fatal("Changelog search failed, error: " +str(e))
-        assert False
-
-def test_retrocl_exclude_attr_mod(topology_st):
-    """ Test exclude attribute feature of the retrocl plugin for mod operation
-
-    :id: f6bef689-685b-4f86-a98d-f7e6b1fcada3
-
-    :setup: Standalone instance
-
-    :steps:
-        1. Enable dynamic plugins
-        2. Confige retro changelog plugin
-        3. Add user1 entry
-        4. Ensure entry attrs are in the changelog
-        5. Exclude an attr
-        6. Modify user1 entry
-        7. Ensure excluded attr is not in the changelog
-
-    :expectedresults:
-        1. Success
-        2. Success
-        3. Success
-        4. Success
-        5. Success
-        6. Success
-        7. Success
-    """
-
-    st = topology_st.standalone
-
-    log.info('Enable dynamic plugins')
-    try:
-        st.config.set('nsslapd-dynamic-plugins', 'on')
-    except ldap.LDAPError as e:
-        ldap.error('Failed to enable dynamic plugins ' + e.args[0]['desc'])
-        assert False
-
-    log.info('Configure retrocl plugin')
-    rcl = RetroChangelogPlugin(st)
-    rcl.disable()
-    rcl.enable()
-    rcl.replace('nsslapd-attribute', 'nsuniqueid:targetUniqueId')
-
-    log.info('Restarting instance')
-    try:
-        st.restart()
-    except ldap.LDAPError as e:
-        ldap.error('Failed to restart instance ' + e.args[0]['desc'])
-        assert False
-
-    users = UserAccounts(st, DEFAULT_SUFFIX)
-
-    log.info('Adding user1')
-    try:
-        user1 = users.create(properties={
-            'sn': '1',
-            'cn': 'user 1',
-            'uid': 'user1',
-            'uidNumber': '11',
-            'gidNumber': '111',
-            'givenname': 'user1',
-            'homePhone': '0861234567',
-            'carLicense': '131D16674',
-            'mail': 'user1@whereever.com',
-            'homeDirectory': '/home/user1',
-            'userpassword': USER_PW})
-    except ldap.ALREADY_EXISTS:
-        pass
-    except ldap.LDAPError as e:
-        log.error("Failed to add user1")
-
-    log.info('Verify homePhone and carLicense attrs are in the changelog changestring')
-    try:
-        cllist = st.search_s(RETROCL_SUFFIX, ldap.SCOPE_SUBTREE, '(targetDn=%s)' % USER1_DN)
-    except ldap.LDAPError as e:
-        log.fatal("Changelog search failed, error: " +str(e))
-        assert False
-    assert len(cllist) > 0
-    if  cllist[0].hasAttr('changes'):
-        clstr = (cllist[0].getValue('changes')).decode()
-        assert ATTR_HOMEPHONE in clstr
-        assert ATTR_CARLICENSE in clstr
-
-    log.info('Excluding attribute ' + ATTR_CARLICENSE)
-    args = FakeArgs()
-    args.connections = [st.host + ':' + str(st.port) + ':' + DN_DM + ':' + PW_DM]
-    args.instance = 'standalone1'
-    args.basedn = None
-    args.binddn = None
-    args.starttls = False
-    args.pwdfile = None
-    args.bindpw = None
-    args.prompt = False
-    args.exclude_attrs = ATTR_CARLICENSE
-    args.func = retrochangelog_add
-    dsrc_inst = dsrc_arg_concat(args, None)
-    inst = connect_instance(dsrc_inst, False, args)
-    result = args.func(inst, None, log, args)
-    disconnect_instance(inst)
-    assert result is None
-
-    log.info("5s delay for retrocl plugin to restart")
-    time.sleep(5)
-
-    log.info('Modify user1 carLicense attribute')
-    try:
-        st.modify_s(USER1_DN, [(ldap.MOD_REPLACE, ATTR_CARLICENSE, b"123WX321")])
-    except ldap.LDAPError as e:
-        log.fatal('test_retrocl_exclude_attr_mod: Failed to update user1 attribute: error ' + e.message['desc'])
-        assert False
-
-    log.info('Verify carLicense attr is not in the changelog changestring')
-    try:
-        cllist = st.search_s(RETROCL_SUFFIX, ldap.SCOPE_SUBTREE, '(targetDn=%s)' % USER1_DN)
-        assert len(cllist) > 0
-        # There will be 2 entries in the changelog for this user, we are only
-        #interested in the second one, the modify operation.
-        if  cllist[1].hasAttr('changes'):
-            clstr = (cllist[1].getValue('changes')).decode()
-            assert ATTR_CARLICENSE not in clstr
-    except ldap.LDAPError as e:
-        log.fatal("Changelog search failed, error: " +str(e))
-        assert False
-
-if __name__ == '__main__':
-    # Run isolated
-    # -s for DEBUG mode
-    CURRENT_FILE = os.path.realpath(__file__)
-    pytest.main("-s %s" % CURRENT_FILE)
-- 
2.26.3