Bug 36353

Summary: Update replication.py to filter operational (builtin) ppolicy overlay attributes
Product: UCS Reporter: Felix Botner <botner>
Component: LDAPAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: gohmann, gulden, requate, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 36113    
Bug Blocks: 31907    

Description Felix Botner univentionstaff 2014-10-30 13:52:14 CET 
+++ This bug was initially created as a clone of Bug #36113 +++

The ppolicy LDAP overlay has a couple of operational (builtin) attributes, which need to be filtered out in replication.py. It's important that this filtering is in place on all UCS DCs *before* the ppolicy overlay gets loaded on any UCS DC master or UCS DC backup, otherwise OpenLDAP will refuse to start on the replicating DCs when it discovers the operational (builtin) attributes in the replicated schema.conf. 

Thus we should ship an errata update for univention-directory-replication and require this to be installed before any system is updated to UCS 4.0.

While we are at it, we might as well also filter out the new operation attributes inherent to the "mdb" database backend.


+++ This bug was initially created as a clone of Bug #31907 +++

We need to add 'MEMBEROF', 'PWDCHANGEDTIME', 'PWDACCOUNTLOCKEDTIME', 'PWDFAILURETIME', 'PWDHISTORY', 'PWDGRACEUSETIME', 'PWDRESET', 'PWDPOLICYSUBENTRY' to the EXCLUDE_ATTRIBUTES to avoid failed.ldif if ppolicy is deactivated on the master.
Comment 1 Felix Botner univentionstaff 2014-10-30 14:04:57 CET 
Maybe we can also add the "pwdChangedTime", "pwdAccountLockedTime" attributes to the EXCLUDE_ATTRIBUTES list to avoid replication of ppolicy attributes at all.

To benefit would be that we don't need to activate ppolicy on all dc non-master servers  to avoid a failed.ldif (as there is no replication of the ppolicy attributes).
Comment 2 Arvid Requate univentionstaff 2014-10-30 14:48:56 CET 
Fixed in errata3.2-3 and ucs_4.0-0.
Advisory: 2014-10-30-univention-directory-replication.yaml
Comment 3 Felix Botner univentionstaff 2014-10-30 17:38:48 CET 
OK - UCS Master with ppolicy and 3.2-3 slave, replication works
OK - YAML
Comment 4 Janek Walkenhorst univentionstaff 2014-11-07 15:39:11 CET 
http://errata.univention.de/ucs/3.2/240.html