Full_Name: Ivan Nejgebauer Version: 2.4.41 Engineering OS: Linux URL: ftp://ftp.openldap.org/incoming/ivannejgebauer-150128.tgz Submission from: (NULL) (2001:4170:2000:2:11e5:197a:fff8:8042)

If an ldapmodify which changes an entry's structural object class using the Relax Rules control is successfully performed on the provider in a provider/consumer pair running delta-syncrepl, the modification will fail on the consumer because relax is not in effect when the consumer attempts to modify its copy of the entry.

The attached archive, which should be extracted in the root of the OpenLDAP source tree, contains scripts and data to replicate the issue. Steps to reproduce:

$ sh relax-syncrel-test/conf-ldap-mdb && make depend && make $ cd relax-syncrepl-test $ make clean-all master replica $ ./start-master.sh $ ./mod-l-master.sh here # modifies an entry to prime accesslog $ ./start-replica.sh # writes SYNC debugging to replica.log $ ./mod-relax-master.sh # ldapmodify w/relax $ tail replica.log # "entry failed schema check: ..." $ ./stop-replica.sh $ ./stop-master.sh

A trivial but indiscriminate fix is to activate Relax Rules for every modify op on the consumer:

--- servers/slapd/syncrepl.c.orig 2015-01-22 03:02:09.000000000 +0100 +++ servers/slapd/syncrepl.c 2015-01-28 10:31:22.225060880 +0100 @@ -2349,6 +2349,7 @@ oes.oe_si = si; LDAP_SLIST_INSERT_HEAD( &op->o_extra, &oes.oe, oe_next ); } + op->o_relax = SLAP_CONTROL_CRITICAL; rc = op->o_bd->be_modify( op, &rs ); if ( SLAP_MULTIMASTER( op->o_bd )) { LDAP_SLIST_REMOVE( &op->o_extra, &oes.oe, OpExtra, oe_next );

A real fix would involve modifying the persistent search to include reqControls in its attribute list and activating Relax Rules on the consumer only if it had been active on the provider when the modification occurred.