9:26 a.m.
https://bugs.openldap.org/show_bug.cgi?id=9295
Issue ID: 9295
Summary: ppolicy and replication: pwdLockedTime replication
fails to replicate
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
If you have the following setup, a replica will hit an error during
replication.
a) ppolicy is configured on provider(s) and replicas. Replica has
schemachecking=on in its syncrepl configuration
b) account gets locked on the replica, so pwdAccountLockedTime is set on the
replica but not on the provider(s)
c) admin does a MOD/ADD op against a provider for the user entry to add a value
to pwdAccountLockedTime
dn: ...
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTime: ...
d) provider accepts this modification.
e) replica rejects this modification because the resulting change means that
there would be two pwdAccountLockedTime values on the account in question
Generally I believe that in this scenario, the MOD/ADD on the provider should
be treated as a replace OP instead of an ADD op
--
You are receiving this mail because:
You are on the CC list for the issue.
10:53 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #1 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
Note: only way to recover from this scenario is to completely reload the
replica's db.
--
You are receiving this mail because:
You are on the CC list for the issue.
1:09 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.4.51
--
You are receiving this mail because:
You are on the CC list for the issue.
3:41 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
head:
Commits:
• 4cf90e84
by Howard Chu at 2020-07-29T16:15:42+01:00
ITS#9295 use replace on single-valued attrs
RE24:
Commits:
• a95890e9
by Howard Chu at 2020-07-29T22:39:32+00:00
ITS#9295 use replace on single-valued attrs
--
You are receiving this mail because:
You are on the CC list for the issue.
9:24 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.
2:58 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
trunk:
Commits:
• efc23cdd
by Ondřej Kuzník at 2020-09-30T18:55:34+00:00
ITS#9295 Do not replace 'op'
--
You are receiving this mail because:
You are on the CC list for the issue.
3:03 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
re24:
• 8ff00e1d
by Ondřej Kuzník at 2020-09-30T21:55:05+00:00
ITS#9295 Do not replace 'op'
--
You are receiving this mail because:
You are on the CC list for the issue.
3:41 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|2.4.51 |2.4.54
--
You are receiving this mail because:
You are on the CC list for the issue.
6:04 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Ondřej Kuzník <ondra(a)mistotebe.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Ever confirmed|0 |1
Status|VERIFIED |CONFIRMED
--- Comment #5 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
The way we munge the inbound op can backfire on operations like this:
```
add: singlevalued
singlevalued: new
-
delete: singlevalued
singlevalued: old
```
Arguably, applications that do this are strange, but the protocol allows this
and it's accepted on the provider.
Seems that for single-valued ops, we probably need to merge and transform
retrospectively as we go and relevant changes for syncrepl_message_to_op need
to be made.
--
You are receiving this mail because:
You are on the CC list for the issue.
9:20 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|2.4.54 |2.4.59
--
You are receiving this mail because:
You are on the CC list for the issue.
9:21 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net
--
You are receiving this mail because:
You are on the CC list for the issue.
2 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Ondřej Kuzník <ondra(a)mistotebe.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CONFIRMED |IN_PROGRESS
--- Comment #6 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
Tracked in MR!307
https://git.openldap.org/openldap/openldap/-/merge_requests/307
--
You are receiving this mail because:
You are on the CC list for the issue.
9:17 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #7 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
head:
Commits:
• afa19de2
by Ondřej Kuzník at 2021-04-12T15:15:02+00:00
ITS#9295 Handle add+delete on a single-value attr
--
You are receiving this mail because:
You are on the CC list for the issue.
9:16 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|IN_PROGRESS |RESOLVED
Resolution|--- |TEST
--- Comment #8 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
RE24:
commit 95fb5f0e4d453b201c0b27955ef7f8c37b959c6c
Author: Ondřej Kuzník <ondra(a)mistotebe.net>
Date: Thu Apr 1 15:17:14 2021 +0100
ITS#9295 Handle add+delete on a single-value attr
--
You are receiving this mail because:
You are on the CC list for the issue.
3:20 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #9 from Michael Ströder <michael(a)stroeder.com> ---
(In reply to Ondřej Kuzník from comment #5)
The way we munge the inbound op can backfire on operations like
this:
```
add: singlevalued
singlevalued: new
-
delete: singlevalued
singlevalued: old
```
Arguably, applications that do this are strange, but the protocol allows
this and it's accepted on the provider.
Note that it's not strange at all: This is the recommended client behaviour
when using an ID pool entry for unique ID assignment.
I'm glad this will be fixed in 2.4.59.
--
You are receiving this mail because:
You are on the CC list for the issue.
2:46 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #10 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
On Fri, May 28, 2021 at 10:20:59PM +0000, openldap-its(a)openldap.org wrote:
> The way we munge the inbound op can backfire on operations like
this:
>
> ```
> add: singlevalued
> singlevalued: new
> -
> delete: singlevalued
> singlevalued: old
> ```
>
> Arguably, applications that do this are strange, but the protocol allows
> this and it's accepted on the provider.
Note that it's not strange at all: This is the recommended client behaviour
when using an ID pool entry for unique ID assignment.
I'm not sure what the difference is to just sending a delete, then add
from application's point of view? I know it shouldn't matter as the
entry only needs to be consistent/valid when the operation is finished,
but you're saying there are reasons to do just this...
--
You are receiving this mail because:
You are on the CC list for the issue.
4:19 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #11 from Michael Ströder <michael(a)stroeder.com> ---
On 5/29/21 11:46 AM, openldap-its(a)openldap.org wrote:
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #10 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
On Fri, May 28, 2021 at 10:20:59PM +0000, openldap-its(a)openldap.org wrote:
>> The way we munge the inbound op can backfire on operations like this:
>>
>> ```
>> add: singlevalued
>> singlevalued: new
>> -
>> delete: singlevalued
>> singlevalued: old
>> ```
>>
>> Arguably, applications that do this are strange, but the protocol allows
>> this and it's accepted on the provider.
>
> Note that it's not strange at all: This is the recommended client behaviour
> when using an ID pool entry for unique ID assignment.
I'm not sure what the difference is to just sending a delete, then
add from application's point of view? I know it shouldn't matter as
the entry only needs to be consistent/valid when the operation is
finished, but you're saying there are reasons to do just this...
Deleting
certain attribute values makes sure that the entry you're
modifying still has its former state. So this uses the ACID properties
of a single modify operation as a test-and-set operation.
Most common example is ID assignment with an ID pool entry. You want to
make sure that no other LDAP client consumed the next ID in between your
last read and current ID update attempt.
My web2ldap also does this since many years to provoke write conflicts
if users modified the same entry. And yes, it looks into subschema to
determine whether the attributes have EQUALITY matching rule defined.
Note before your next answer: ;-)
Not every LDAP server supports assertion control or MOD_INCREMENT with
read entry controls. Or even worse, some implementations of the
assertion control are buggy...
Ciao, Michael.
--
You are receiving this mail because:
You are on the CC list for the issue.
6:14 a.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
--- Comment #12 from Howard Chu <hyc(a)openldap.org> ---
(In reply to Michael Ströder from comment #11)
On 5/29/21 11:46 AM, openldap-its(a)openldap.org wrote:
> https://bugs.openldap.org/show_bug.cgi?id=9295
>
> --- Comment #10 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
> On Fri, May 28, 2021 at 10:20:59PM +0000, openldap-its(a)openldap.org wrote:
>>> The way we munge the inbound op can backfire on operations like this:
>>>
>>> ```
>>> add: singlevalued
>>> singlevalued: new
>>> -
>>> delete: singlevalued
>>> singlevalued: old
>>> ```
>>>
>>> Arguably, applications that do this are strange, but the protocol allows
>>> this and it's accepted on the provider.
>>
>> Note that it's not strange at all: This is the recommended client behaviour
>> when using an ID pool entry for unique ID assignment.
>
> I'm not sure what the difference is to just sending a delete, then
> add from application's point of view? I know it shouldn't matter as
> the entry only needs to be consistent/valid when the operation is
> finished, but you're saying there are reasons to do just this...
Deleting certain attribute values makes sure that the entry you're
modifying still has its former state. So this uses the ACID properties
of a single modify operation as a test-and-set operation.
Most common example is ID assignment with an ID pool entry. You want to
make sure that no other LDAP client consumed the next ID in between your
last read and current ID update attempt.
My web2ldap also does this since many years to provoke write conflicts
if users modified the same entry. And yes, it looks into subschema to
determine whether the attributes have EQUALITY matching rule defined.
What you're describing is indeed routine. But the usual sequence is
for the delete to come before the add. Even though it should make no
difference in the end, it is unusual to do the add before the delete.
--
You are receiving this mail because:
You are on the CC list for the issue.
3:38 p.m.
New subject: [Issue 9295] ppolicy and replication: pwdLockedTime replication fails to replicate
https://bugs.openldap.org/show_bug.cgi?id=9295
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
Resolution|TEST |FIXED
--
You are receiving this mail because:
You are on the CC list for the issue.
848
days inactive
1169
days old
18 comments
1 participants
participants (1)
-
openldap-its@openldap.org