Univention Bugzilla – Bug 56909
Add warning about disabling overlay-ppolicy via ucr variable ldap/ppolicy
Last modified: 2024-02-06 12:44:05 CET
There should be a warning about possible consequences after disabling the overlay-ppolicy-module via the ucr variable ldap/ppolicy in the documentation. After deleting this variable or setting it to ldap/ppolicy='no' the regarding schema extension is removed from the openldap configuration. Admins may not be aware about this because there is no warning in the documentation. In the output of 'ucr info ldap/ppolicy' there is some kind of warning: root@mf2primary:/# ucr info ldap/ppolicy ldap/ppolicy: no If this variable is set to yes, the LDAP server loads the LDAP overlay ppolicy on the next restart. In this case the LDAP server loads a set of ppolicy specific user attributes. Once the overlay has been activated, it should not be deactivated again to avoid problems due to undefined attributes. Loading and activation of the overlay are two different things, activation is controlled by a separate UCR variable (see UCR variable ldap/ppolicy/enable). Categories: service-ldap Default: (not set) Type: str
Bug #55998 removes the UCR variable ldap/ppolicy so the module is always loaded (but not activated). Since OpenLDAP 2.5 the ppolicy schema is builtin. *** This bug has been marked as a duplicate of bug 55998 ***
I think, we could add a note to the UCR variable reference in the UCS manual, because the topic still affects UCS 5.0 and its users. I suggest to add a note to https://docs.software-univention.de/manual/5.0/en/appendix/variables.html#envvar-ldap-ppolicy in the documentation. With this bug, we should also check the documentation around the UCR variables regarding ppolicy and ensure consistent communication.