Hi!
Sorry for the length delay. I tested again: * I copied a policy and assigned that copy to a user * then I renamed that copied pppolicy to a new name * searching the server I see that the pwdPolicySubentry attribute is updated
The confusing part is that I find the rename in accesslog, but not the attribute change. Of course, the rename triggered an attribute change on the other replicated node as well, but I would find it more consistent if the change done by refint were reflected in the accesslog (and be replicated that way).
Maybe it's my fault to use the accesslog to see all changes applied to the local database...
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, May 9, 2025 12:34 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Re: Re: Re: using refint overlay for pwdPolicySubentry
On Fri, May 09, 2025 at 10:00:08AM +0000, Windl, Ulrich wrote:
I fail to see where slapd.conf comes into play with handling of
pwdPolicySubentry:
Both the policies and the users are defined in a different (MDB) database. Only the default policy may be stored in the config database directly, and I
did not talk about that.
Yes, and as I indicated before, in my testing, everything but a default policy was being adjusted by refint just fine. The reason default policy was not is because it is set in the configuration and what we've moved onto.
If you can reproduce a set up where a pwdPolicySubentry is stored on the account's entry, refint is properly configured and a rename of the corresponding policy entry does not trigger an update of the account contrary to refint documentation, please post it here or better, file an issue.
Thanks,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP