Hello, we are using OpenLDAP 2.4.44 on Debian 9 in a distributed scenario: push based replication (means: using proxies with ldap backend). All works fine, all attributes (normal and operational) are replicated. Only one problem occurs: - when we set pwdAccountLockedTime on the master it gets replicated without problems. - but if we remove this attribute on the master (means: we unlock the account) this change is NOT replicated: The attribute is still there in all replicas, so the accounts stay locked.
Is this by design - or is it a bug?
Regards Jochen.
On 3/21/19 10:09 AM, Jochen Keutel wrote:
we are using OpenLDAP 2.4.44 on Debian 9 in a distributed scenario: push based replication (means: using proxies with ldap backend). All works fine, all attributes (normal and operational) are replicated. Only one problem occurs:
- when we set pwdAccountLockedTime on the master it gets replicated
without problems.
- but if we remove this attribute on the master (means: we unlock the
account) this change is NOT replicated: The attribute is still there in all replicas, so the accounts stay locked.
Is this by design - or is it a bug?
The usual answer: Upgrade because many replication issues were fixed since 2.4.44 which was released three years ago. IIRC some issues with operational attributes were fixed.
Also this comes to mind: https://www.openldap.org/its/index.cgi?findid=8927
Futhermore I'm not sure whether it will work correctly with push-based replication. But try first to upgrade, e.g. based on LTB packages if you don't want to build Debian packages yourself.
You could also try to use the stretch backport packages: https://packages.debian.org/source/stretch-backports/openldap I don't have any personal experience with these packages though.
Ciao, Michael.
openldap-technical@openldap.org
-
Jochen Keutel -
Michael Ströder