Regression in winsync replication agreement - Githubissues

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux

https://www.port389.org/

Other

211 stars 93 forks source link

Regression in winsync replication agreement #4700

Closed flo-renaud closed 3 years ago

flo-renaud commented 3 years ago

Issue Description In IPA environment, the configuration of a winsync replication agreement fails in the step adding cn=replication manager,cn=config. The regression was introduced with 389-ds-base-1.4.4.12-1.fc33.x86_64 (no issue with 389-ds-base-1.4.4.11-1.fc33.x86_64). The command ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=ad,dc=test --bindpw Secret123 --password Secret.123 --cacert /tmp/tmp.OCf3xgAY5f --passsync dummy ad-root.ad.test -v fails with ldap.OPERATIONS_ERROR: Invalid DN.

Package Version and Platform: 389-ds-base-1.4.4.12-1.fc33.x86_64

Steps to Reproduce IPA nightly test test_integration/test_winsyncmigrate.py

More information available in https://pagure.io/freeipa/issue/8691

mreynolds389 commented 3 years ago

The only fixes in 1.4.4.12 are:

Issue 4579 - libasan detects heap-use-after-free in URP test (#4584)
Issue 4563 - Failure on s390x: ‘Fails to split RDN “o=pki-tomcat-CA” into components’ (#4573)
Issue 4526 - sync_repl: when completing an operation in the pending list, it can select the wrong operation (#4553)
Issue 4396 - Minor memory leak in backend (#4558) (#4572)
Issue 4324 - Performance search rate: change entry cache monitor to recursive pthread mutex (#4569)
Issue 5442 - Search results are different between RHDS10 and RHDS11

None of them directly impact Add operations or winsync/replication. The logs from the ipa ticket show:

[03/Feb/2021:19:46:54.462782376 +0000] conn=6 op=5 ADD dn="cn=replication manager,cn=config"
[03/Feb/2021:19:46:54.524714900 +0000] conn=6 op=5 RESULT err=1 tag=105 nentries=0 wtime=0.000111775 optime=0.061935050 etime=0.062040261

and the error log contains:

[03/Feb/2021:19:46:54.527606161 +0000] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry.

ipa_sidgen_add_post_op():

...
ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn_str); 
if (ret != 0) { 
    LOG_FATAL("Missing target DN.\n"); 
    goto done; 
}
...

I'm not sure what in the 6 bug fixes in 1.4.4.12 that would have messed up the SLAPI_TARGET_DN of an ADD operation. It would be nice to catch this in a debugger to see the full stack trace of how it got there.

tbordaz commented 3 years ago

@flo-renaud indeed none of the -12 tickets looks as obvious responsible of this regression. The failure being reproducible systematically, would you mind to run the same tests with https://copr.fedorainfracloud.org/coprs/g/389ds/389-ds-base-nightly/build/2108292/ ?

flo-renaud commented 3 years ago

@tbordaz the test results will be available in https://github.com/freeipa-pr-ci2/freeipa/pull/815

tbordaz commented 3 years ago

@flo-renaud same failure with that copr build

master logs
------------
[30/Mar/2021:12:54:27.946424818 +0000] conn=4 op=5 ADD dn="cn=replication manager,cn=config"
[30/Mar/2021:12:54:27.977154011 +0000] conn=4 op=5 RESULT err=1 tag=105 nentries=0 wtime=0.000164301 optime=0.030720598 etime=0.030879500

[30/Mar/2021:12:54:27.983294418 +0000] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry.

report.html
-----------
INFO     ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:391 RUN ['ipa-replica-manage', 'connect', '--winsync', '--binddn', 'cn=Administrator,cn=users,dc=ad,dc=test', '--bindpw', 'Secret123', '--password', 'Secret.123', '--cacert', '/tmp/tmp.NtDUzquSH7', '--passsync', 'dummy', 'ad-root.ad.test', '-v']
...
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd85:transport.py:557 ldap.OPERATIONS_ERROR: {'msgtype': 105, 'msgid': 6, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': 'Invalid DN'}

I will look again at the remaining modifications but like will create a new copr build

tbordaz commented 3 years ago

Having a doubt if change in aci #5442 may trigger this failure. Could you launch again the tests with copr build

flo-renaud commented 3 years ago

@tbordaz the results will be available at the same location: https://github.com/freeipa-pr-ci2/freeipa/pull/815

tbordaz commented 3 years ago

@flo-renaud last copr build to check which of those to bug fixes triggered the regression Issue 4396 - Minor memory leak in backend (#4558) (#4572) Issue 4324 - Performance search rate: change entry cache monitor to recursive pthread mutex (#4569)

flo-renaud commented 3 years ago

New tests launched at the same location: https://github.com/freeipa-pr-ci2/freeipa/pull/815

tbordaz commented 3 years ago

Okay, the regression is due to #4396 that somehow breaks many suffixes ("", cn=monitor, cn=config). I am surprise it is discovered so late. I will revert it. Would you please confirm this copr build is working ?

flo-renaud commented 3 years ago

Tests are running, same location: https://github.com/freeipa-pr-ci2/freeipa/pull/815

tbordaz commented 3 years ago

ba598c798..ab0bc2e6c master 671774894..be2e6636c 389-ds-base-1.4.4