ldap/servers/slapd/schema.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
Author: Thierry Bordaz <tbordaz(a)redhat.com>
Date: Thu Sep 22 20:48:13 2016 +0200
Ticket 48992: Total init may fail if the pushed schema is rejected
In the early phase of total update (or incremental update), the supplier may send
A supplier will send its schema to the consumer at the condition its nsSchemaCSN
is greater than
the consumer nsSchemaCSN.
If it is the case, a 1.2.11 supplier will systematically send its schema, while a
1.3 supplier will
check that its schema is a superset of the consumer schema before sending it.
If a 1.2.11 supplier sends its schema and that schema is a subset of consumer one,
the >1.3 consumer will detect it is a subset and reject the update.
In that case the >1.3 consumer rejects a replicated update.
On the consumer side, with the fix https://fedorahosted.org/389/ticket/47788
replication operation fails, it may trigger the closure of the replication
The fix decides, based on the type of failure, if the failure can be ignored
(leave the connection
opened) or is fatal (close the connection).
This is detected, on the consumer side, in
In the current version, if a replicated update of the schema fails it return
This is a fatal error regarding ignore_error_and_keep_going that then close the
and interrupt the total/incremental update.
Note this bug can be transient as, the schema learning mechanism (on consumer) may
the received schema (even if it is rejected) and update its local schema that
nsSchemaCSN. If this occur, a later replication session finding a greater
nsSchemaCSN on the
consumer side will not push the schema
When the update of the schema is rejected make it not fatal, switching the
code from LDAP_UNWILLING_TO_PERFORM to LDAP_CONSTRAINT_VIOLATION
Reviewed by: Noriko Hosoi, Ludwig Krispenz (thanks to you !)
Platforms tested: 7.3
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 164dd78..c0581b7 100644
@@ -2120,7 +2120,24 @@ modify_schema_dse (Slapi_PBlock *pb, Slapi_Entry *entryBefore,
"[C] Local %s must not be overwritten (set replication log for
- *returncode = LDAP_UNWILLING_TO_PERFORM;
+ * If the update (replicated) of the schema is rejected then
+ * process_postop->ignore_error_and_keep_going will decide if
+ * this failure is fatal or can be ignored.
+ * LDAP_UNWILLING_TO_PERFORM is considered as fatal error --> close
+ * A 6.x supplier may send a subset schema and trigger this error,
+ * will break the replication session.
+ * With new "learning" mechanism this is not that important
+ * update of the schema is successful or not. Just be permissive
+ * ignoring that failure to let the full replication session going on
+ * So return LDAP_CONSTRAINT_VIOLATION (in place of
+ * is pick up as best choice of non fatal returncode.
+ * (others better choices UNWILLING_TO_PERFORM, OPERATION_ERROR or
+ * are unfortunately all fatal).
+ *returncode = LDAP_CONSTRAINT_VIOLATION;