https://bugs.openldap.org/show_bug.cgi?id=9294
Issue ID: 9294 Summary: ppolicy and replication: Multiple values for pwdLockedTime in violation of schema Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
If you have the following setup, a replica can end up with user entries in a non-schema compliant state:
a) ppolicy is configured on provider(s) and replicas. Replica has schemachecking=off in its syncrepl configuration b) account gets locked on the replica, so pwdAccountLockedTime is set on the replica but not on the provider(s) c) admin does a MOD/ADD op against a provider for the user entry to add a value to pwdAccountLockedTime
dn: ... changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: ...
d) provider accepts this modification. e) replica accepts this modification f) account entry on replica now has two values for pwdAccountLockedTime in violation of it being a single valued attribute:
"( 1.3.6.1.4.1.42.2.27.8.1.17 " "NAME ( 'pwdAccountLockedTime' ) " "DESC 'The time an user account was locked' " "EQUALITY generalizedTimeMatch " "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE "
https://bugs.openldap.org/show_bug.cgi?id=9294
--- Comment #1 from Howard Chu hyc@openldap.org --- You just said (a) schemachecking=off, so why would you expect the result to be schema-conforming?
https://bugs.openldap.org/show_bug.cgi?id=9294
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.4.51
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- The fix for Issue#9295 also fixes this issue since all MOD/add ops are converted to a replace during replication.
https://bugs.openldap.org/show_bug.cgi?id=9294
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- head:
Commits: • 4cf90e84 by Howard Chu at 2020-07-29T16:15:42+01:00 ITS#9295 use replace on single-valued attrs
RE24:
Commits: • a95890e9 by Howard Chu at 2020-07-29T22:39:32+00:00 ITS#9295 use replace on single-valued attrs
https://bugs.openldap.org/show_bug.cgi?id=9294
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED