https://bugs.openldap.org/show_bug.cgi?id=9294
Issue ID: 9294
Summary: ppolicy and replication: Multiple values for
pwdLockedTime in violation of schema
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
If you have the following setup, a replica can end up with user entries in a
non-schema compliant state:
a) ppolicy is configured on provider(s) and replicas. Replica has
schemachecking=off in its syncrepl configuration
b) account gets locked on the replica, so pwdAccountLockedTime is set on the
replica but not on the provider(s)
c) admin does a MOD/ADD op against a provider for the user entry to add a value
to pwdAccountLockedTime
dn: ...
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTime: ...
d) provider accepts this modification.
e) replica accepts this modification
f) account entry on replica now has two values for pwdAccountLockedTime in
violation of it being a single valued attribute:
"( 1.3.6.1.4.1.42.2.27.8.1.17 "
"NAME ( 'pwdAccountLockedTime' ) "
"DESC 'The time an user account was locked' "
"EQUALITY generalizedTimeMatch "
"ORDERING generalizedTimeOrderingMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE "
--
You are receiving this mail because:
You are on the CC list for the issue.
