On Mon, Sep 01, 2025 at 07:17:04AM +0000, Windl, Ulrich wrote:
Hi!
After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there.
When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there.
That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1"
Hi Ulrich, running test022-ppolicy from the test suite, then slapcat, these attributes are returned just fine. Make sure you're running the ldapsearch and slapcat against the same server.
It still looks like an ACL issue to me, if it's a replica you are running slapcat on, it is actually allowed to read those attributes from its provider's database? Because if not it will never receive them and if you're in a deltasync scenario, you've just violated rule number 1 of deltasync - unrestricted read access to main DB is essential, otherwise replication **will not** do the right thing.
Regards,