New subject: [Issue 9294] ppolicy and replication: Multiple values for pwdLockedTime in violation of schema

17 Jul 2020


      https://bugs.openldap.org/show_bug.cgi?id=9294
Issue ID: 9294
           Summary: ppolicy and replication: Multiple values for
                    pwdLockedTime in violation of schema
           Product: OpenLDAP
           Version: 2.4.50
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: overlays
          Assignee: bugs@openldap.org
          Reporter: quanah@openldap.org
  Target Milestone: ---
If you have the following setup, a replica can end up with user entries in a
non-schema compliant state:
a) ppolicy is configured on provider(s) and replicas.  Replica has
schemachecking=off in its syncrepl configuration
b) account gets locked on the replica, so pwdAccountLockedTime is set on the
replica but not on the provider(s)
c) admin does a MOD/ADD op against a provider for the user entry to add a value
to pwdAccountLockedTime
dn: ...
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTime: ...
d) provider accepts this modification.
e) replica accepts this modification
f) account entry on replica now has two values for pwdAccountLockedTime in
violation of it being a single valued attribute:
"( 1.3.6.1.4.1.42.2.27.8.1.17 "
        "NAME ( 'pwdAccountLockedTime' ) "
        "DESC 'The time an user account was locked' "
        "EQUALITY generalizedTimeMatch "
        "ORDERING generalizedTimeOrderingMatch "
        "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
        "SINGLE-VALUE "
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9294] New: ppolicy and replication: Multiple values for pwdLockedTime in violation of schema