Bug 56909 – Add warning about disabling overlay-ppolicy via ucr variable ldap/ppolicy

Bug 56909 - Add warning about disabling overlay-ppolicy via ucr variable ldap/ppolicy


Summary:	Add warning about disabling overlay-ppolicy via ucr variable ldap/ppolicy

Status:	REOPENED

Product:	UCS manual
Classification:	Unclassified
Component:	User management
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assigned To:	Docu maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-12-11 11:32 CET by Wolfgang Bayrhof
Modified:	2024-02-06 12:44 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.057
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023120621000321
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Bayrhof

2023-12-11 11:32:30 CET

There should be a warning about possible consequences after disabling the overlay-ppolicy-module via the ucr variable ldap/ppolicy in the documentation. After deleting this variable or setting it to ldap/ppolicy='no' the regarding schema extension is removed from the openldap configuration. Admins may not be aware about this because there is no warning in the documentation.

In the output of 'ucr info ldap/ppolicy' there is some kind of warning:

root@mf2primary:/# ucr info ldap/ppolicy
ldap/ppolicy: no
 If this variable is set to yes, the LDAP server loads the LDAP overlay ppolicy on the next restart. In this case the LDAP server loads a set of ppolicy specific user attributes. Once the overlay has been activated, it should not be deactivated again to avoid problems due to undefined attributes. Loading and activation of the overlay are two different things, activation is controlled by a separate UCR variable (see UCR variable ldap/ppolicy/enable).
 Categories: service-ldap
 Default: (not set)
 Type: str

Comment 1 Florian Best

2024-02-06 10:33:45 CET

Bug #55998 removes the UCR variable ldap/ppolicy so the module is always loaded (but not activated). Since OpenLDAP 2.5 the ppolicy schema is builtin.

*** This bug has been marked as a duplicate of bug 55998 ***

Comment 2 Nico Gulden

2024-02-06 12:44:05 CET

I think, we could add a note to the UCR variable reference in the UCS manual, because the topic still affects UCS 5.0 and its users.

I suggest to add a note to https://docs.software-univention.de/manual/5.0/en/appendix/variables.html#envvar-ldap-ppolicy in the documentation.

With this bug, we should also check the documentation around the UCR variables regarding ppolicy and ensure consistent communication.