Hi!
After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there.
When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there.
That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1"
Module load order is: olcModuleLoad: {0}back_mdb.so olcModuleLoad: {1}syncprov.so olcModuleLoad: {2}accesslog.so olcModuleLoad: {3}ppolicy.so olcModuleLoad: {4}refint.so olcModuleLoad: {5}pw-sha2.so olcModuleLoad: {6}lastbind.so
Mit freundlichen Grüßen Ulrich Windl Klinikum der Universität Regensburg IT / Infrastruktur Franz-Josef-Strauß-Allee 11 D-93053 Regensburg
Tel: +49 941 944-13816 Softphone: +49 941 944-801142 FAX: +49 941 944-5882
On Mon, Sep 01, 2025 at 07:17:04AM +0000, Windl, Ulrich wrote:
Hi!
After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there.
When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there.
That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1"
Hi Ulrich, running test022-ppolicy from the test suite, then slapcat, these attributes are returned just fine. Make sure you're running the ldapsearch and slapcat against the same server.
It still looks like an ACL issue to me, if it's a replica you are running slapcat on, it is actually allowed to read those attributes from its provider's database? Because if not it will never receive them and if you're in a deltasync scenario, you've just violated rule number 1 of deltasync - unrestricted read access to main DB is essential, otherwise replication **will not** do the right thing.
Regards,
Ondřej,
sorry for the late response. Checking it again it looks as if those attributes *are* present for most entries, and those where they are missing it seems the users never logged in since the password policy was in effect. Sorry for the noise, but it seems I had checked exactly those users. (I have the task to delete obsolete and inactive users from the database, but it seems some functional users never log in; maybe su is the culprit)
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, September 9, 2025 1:08 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: slapcat dump seems incomplete (attributes missing)
Sicherheits-Hinweis: Diese E-Mail wurde von einer Person außerhalb des UKR gesendet. Seien Sie vorsichtig vor gefälschten Absendern, wenn Sie auf Links klicken, Anhänge öffnen oder weitere Aktionen ausführen, bevor Sie die Echtheit überprüft haben.
On Mon, Sep 01, 2025 at 07:17:04AM +0000, Windl, Ulrich wrote:
Hi!
After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there.
When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there.
That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F
$CONFDIR -g -l "$TMPFILE1"
Hi Ulrich, running test022-ppolicy from the test suite, then slapcat, these attributes are returned just fine. Make sure you're running the ldapsearch and slapcat against the same server.
It still looks like an ACL issue to me, if it's a replica you are running slapcat on, it is actually allowed to read those attributes from its provider's database? Because if not it will never receive them and if you're in a deltasync scenario, you've just violated rule number 1 of deltasync - unrestricted read access to main DB is essential, otherwise replication **will not** do the right thing.
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
openldap-technical@openldap.org
-
Ondřej Kuzník -
Windl, Ulrich