Full_Name: Quanah Gibson-Mount Version: OpenLDAP 2.4 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239)

In OpenLDAP 2.4.43, a new attribute was added to the external ppolicy schema (ITS#8185). While this worked fine with older slapd.conf based configurations where the ppolicy schema file was replaced on upgrade, it was a complete and utter disaster for deployments using cn=config, as the ppolicy overlay references all the attributes defined in external ppolicy schema file. To be able to upgrade without failure, one would have export cn=config, update the binaries, update the ppolicy schema information in the exported cn=config database, re-import cn=config, and then start slapd. This broke the usual ability to do in-place upgrades with cn=config.

Instead, the entire contents of the ppolicy.schema file should be internalized to the ppolicy overlay, similar to how the accesslog overlay is written, and the external ppolicy.schema file deleted. This will allow non-breaking upgrades for both slapd.conf and cn=config based configurations.