From a3bcb05ce1c554aa98af9343bec7335521db3a3e Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Mon, 16 Oct 2017 13:32:38 +0300

Subject: [PATCH] ds: ignore time skew during initial replication step

Initial replica creation can go with ignoring time skew checks.

We should, however, force time skew checks during normal operation.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 install/share/Makefile.am                    |  1 +

 install/share/replica-prevent-time-skew.ldif |  4 ++++

 ipaserver/install/dsinstance.py              | 24 ++++++++++++++++++++++++

 3 files changed, 29 insertions(+)

 create mode 100644 install/share/replica-prevent-time-skew.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am

index 85a061c6976dcc55b0ba2250423a344e14f2ce97..46b3d77663113f770765c8bd1d8a916791d628f4 100644

--- a/install/share/Makefile.am

+++ b/install/share/Makefile.am

@@ -38,6 +38,7 @@ dist_app_DATA =				\

 	default-trust-view.ldif		\

 	delegation.ldif			\

 	replica-acis.ldif		\

+	replica-prevent-time-skew.ldif  \

 	ds-nfiles.ldif			\

 	dns.ldif			\

 	dnssec.ldif			\

diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif

new file mode 100644

index 0000000000000000000000000000000000000000..5d301feddb56347f3b35be89edaae1a7d91e07de

--- /dev/null

+++ b/install/share/replica-prevent-time-skew.ldif

@@ -0,0 +1,4 @@

+dn: cn=config

+changetype: modify

+replace: nsslapd-ignore-time-skew

+nsslapd-ignore-time-skew: $SKEWVALUE

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py

index c9db8ac28c3ca10539b745ca09f4d8aaece02e0c..7a88612997a3fa96cf394852401fb01e5e4501d5 100644

--- a/ipaserver/install/dsinstance.py

+++ b/ipaserver/install/dsinstance.py

@@ -392,7 +392,21 @@ class DsInstance(service.Service):

         self.step("restarting directory server", self.__restart_instance)

         self.step("creating DS keytab", self.request_service_keytab)

+

+        # 389-ds allows to ignore time skew during replication. It is disabled

+        # by default to avoid issues with non-contiguous CSN values which

+        # derived from a time stamp when the change occurs. However, there are

+        # cases when we are interested only in the changes coming from the

+        # other side and should therefore allow ignoring the time skew.

+        #

+        # This helps with initial replication or force-sync because

+        # the receiving side has no valuable changes itself yet.

+        self.step("ignore time skew for initial replication",

+                  self.__replica_ignore_initial_time_skew)

+

         self.step("setting up initial replication", self.__setup_replica)

+        self.step("prevent time skew after initial replication",

+                  self.replica_manage_time_skew)

         self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)

         self.step("updating schema", self.__update_schema)

         # See LDIFs for automember configuration during replica install

@@ -929,6 +943,16 @@ class DsInstance(service.Service):

     def __add_replication_acis(self):

         self._ldap_mod("replica-acis.ldif", self.sub_dict)

+    def __replica_ignore_initial_time_skew(self):

+        self.replica_manage_time_skew(prevent=False)

+

+    def replica_manage_time_skew(self, prevent=True):

+        if prevent:

+            self.sub_dict['SKEWVALUE'] = 'off'

+        else:

+            self.sub_dict['SKEWVALUE'] = 'on'

+        self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)

+

     def __setup_s4u2proxy(self):

         self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)

-- 

2.9.5