[Freeipa-devel] Disabling Schema Compatibility rule

[Alexander Bokovoy]

On Fri, 04 Mar 2016, Jakub Hrozek wrote:
>On Fri, Mar 04, 2016 at 11:10:47AM +0200, Alexander Bokovoy wrote:
>> On the other hand, if no users are going to use the configuration, it
>> should not hurt anymore to have it enabled. With current slapi-nis state
>> there should be no problems anymore.
>
>I admit I haven't been following the slapi-nis patches closely. Are you
>saying that if no sssd clients are using the slapi-nis tree (remember we
>used the tree mostly for sudo rules lately) the users wouldn't see
>issues that they were seeing previously (IIRC it had to do with locking
>because every auth, so also every bind was a write operation) ?
>
>Or were these issues fixed in slapi-nis so even using the compat tree
>for sudo rules would not be problematic anymore?
These issues were because slapi-nis has a single lock that was taken for
long time when processing reads due to clients not reading out the data
and thus mingling with write operations. The change we did in slapi-nis
0.55 is by allowing reads to operate on a private copy of that data,
thus dropping locks way before results are sent out -- now if a client
refuses to read the data, nothing holds the lock to internal slapi-nis
structure anymore.
-- 
/ Alexander Bokovoy