Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication - openldap-bugs

12 Oct 2018


      --On Thursday, October 11, 2018 9:25 PM +0000 quanah@openldap.org wrote:
...
When the second action is performed (c), all consumers will go into
REFRESH mode:
There appears to be a serious bug in ppolicy.  If I look at the accesslog 
data that was written out, the "pwdFailureTime" attribute is cleared on two 
different entries instead of just the user entry that had its password 
reset. I.e., pwdFailureTime is cleared on the user AND the DN of the 
manager entry that made the change.
dn: reqStart=20181012145703.000000Z,cn=accesslog
objectClass: auditModify
structuralObjectClass: auditModify
reqStart: 20181012145703.000000Z
reqEnd: 20181012145703.000001Z
reqType: modify
reqSession: 1003
reqAuthzID: cn=ldaproot,dc=example,dc=com
reqDN: uid=user1,ou=user,dc=example,dc=com
reqResult: 0
reqMod: pwdFailureTime:+ 20181012145703.125562Z
reqMod: entryCSN:= 20181012145703.125803Z#000000#001#000000
reqMod: modifiersName:= cn=ldaproot,dc=example,dc=com
reqMod: modifyTimestamp:= 20181012145703Z
reqEntryUUID: ac657c60-e60a-412d-b015-522fc451e89a
entryUUID: d2b4a16c-627a-1038-9d4c-dbb80effb9f4
creatorsName: cn=accesslog
createTimestamp: 20181012145703Z
entryCSN: 20181012145703.125803Z#000000#001#000000
modifiersName: cn=accesslog
modifyTimestamp: 20181012145703Z
dn: reqStart=20181012145706.000000Z,cn=accesslog
objectClass: auditModify
structuralObjectClass: auditModify
reqStart: 20181012145706.000000Z
reqEnd: 20181012145706.000001Z
reqType: modify
reqSession: 1003
reqAuthzID: cn=ldaproot,dc=example,dc=com
reqDN: cn=idmgmt,ou=user,ou=service,dc=example,dc=com
reqResult: 0
reqMod: pwdFailureTime:-
reqMod: entryCSN:= 20181012145706.147871Z#000000#001#000000
reqMod: modifiersName:= cn=ldaproot,dc=example,dc=com
reqMod: modifyTimestamp:= 20181012145706Z
reqEntryUUID: bf72bf9a-6079-102b-83cd-8572a998cec3
entryUUID: d4822668-627a-1038-9d4d-dbb80effb9f4
creatorsName: cn=accesslog
createTimestamp: 20181012145706Z
entryCSN: 20181012145706.147871Z#000000#001#000000
modifiersName: cn=accesslog
modifyTimestamp: 20181012145706Z
dn: reqStart=20181012145706.000002Z,cn=accesslog
objectClass: auditModify
structuralObjectClass: auditModify
reqStart: 20181012145706.000002Z
reqEnd: 20181012145706.000003Z
reqType: modify
reqSession: 1003
reqAuthzID: cn=idmgmt,ou=user,ou=service,dc=example,dc=com
reqDN: uid=user1,ou=user,dc=example,dc=com
reqResult: 0
reqMod: userPassword:= {SSHA}y8UHEPuMnrOwrZnufP3XrG7ofbHKRpT0
reqMod: pwdChangedTime:= 20181012145706Z
reqMod: pwdFailureTime:-
reqMod: entryCSN:= 20181012145706.171028Z#000000#001#000000
reqMod: modifiersName:= cn=idmgmt,ou=user,ou=service,dc=example,dc=com
reqMod: modifyTimestamp:= 20181012145706Z
reqEntryUUID: ac657c60-e60a-412d-b015-522fc451e89a
entryUUID: d4845d20-627a-1038-9d4e-dbb80effb9f4
creatorsName: cn=accesslog
createTimestamp: 20181012145706Z
entryCSN: 20181012145706.171028Z#000000#001#000000
modifiersName: cn=accesslog
modifyTimestamp: 20181012145706Z
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
http://www.symas.com