Bug 36353 - Update replication.py to filter operational (builtin) ppolicy overlay attributes
Update replication.py to filter operational (builtin) ppolicy overlay attributes
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-3-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 36113
Blocks: 31907
  Show dependency treegraph
 
Reported: 2014-10-30 13:52 CET by Felix Botner
Modified: 2014-11-07 15:39 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-10-30 13:52:14 CET
+++ This bug was initially created as a clone of Bug #36113 +++

The ppolicy LDAP overlay has a couple of operational (builtin) attributes, which need to be filtered out in replication.py. It's important that this filtering is in place on all UCS DCs *before* the ppolicy overlay gets loaded on any UCS DC master or UCS DC backup, otherwise OpenLDAP will refuse to start on the replicating DCs when it discovers the operational (builtin) attributes in the replicated schema.conf. 

Thus we should ship an errata update for univention-directory-replication and require this to be installed before any system is updated to UCS 4.0.

While we are at it, we might as well also filter out the new operation attributes inherent to the "mdb" database backend.


+++ This bug was initially created as a clone of Bug #31907 +++

We need to add 'MEMBEROF', 'PWDCHANGEDTIME', 'PWDACCOUNTLOCKEDTIME', 'PWDFAILURETIME', 'PWDHISTORY', 'PWDGRACEUSETIME', 'PWDRESET', 'PWDPOLICYSUBENTRY' to the EXCLUDE_ATTRIBUTES to avoid failed.ldif if ppolicy is deactivated on the master.
Comment 1 Felix Botner univentionstaff 2014-10-30 14:04:57 CET
Maybe we can also add the "pwdChangedTime", "pwdAccountLockedTime" attributes to the EXCLUDE_ATTRIBUTES list to avoid replication of ppolicy attributes at all.

To benefit would be that we don't need to activate ppolicy on all dc non-master servers  to avoid a failed.ldif (as there is no replication of the ppolicy attributes).
Comment 2 Arvid Requate univentionstaff 2014-10-30 14:48:56 CET
Fixed in errata3.2-3 and ucs_4.0-0.
Advisory: 2014-10-30-univention-directory-replication.yaml
Comment 3 Felix Botner univentionstaff 2014-10-30 17:38:48 CET
OK - UCS Master with ppolicy and 3.2-3 slave, replication works
OK - YAML
Comment 4 Janek Walkenhorst univentionstaff 2014-11-07 15:39:11 CET
http://errata.univention.de/ucs/3.2/240.html