Univention Bugzilla – Bug 36353
Update replication.py to filter operational (builtin) ppolicy overlay attributes
Last modified: 2014-11-07 15:39:11 CET
+++ This bug was initially created as a clone of Bug #36113 +++ The ppolicy LDAP overlay has a couple of operational (builtin) attributes, which need to be filtered out in replication.py. It's important that this filtering is in place on all UCS DCs *before* the ppolicy overlay gets loaded on any UCS DC master or UCS DC backup, otherwise OpenLDAP will refuse to start on the replicating DCs when it discovers the operational (builtin) attributes in the replicated schema.conf. Thus we should ship an errata update for univention-directory-replication and require this to be installed before any system is updated to UCS 4.0. While we are at it, we might as well also filter out the new operation attributes inherent to the "mdb" database backend. +++ This bug was initially created as a clone of Bug #31907 +++ We need to add 'MEMBEROF', 'PWDCHANGEDTIME', 'PWDACCOUNTLOCKEDTIME', 'PWDFAILURETIME', 'PWDHISTORY', 'PWDGRACEUSETIME', 'PWDRESET', 'PWDPOLICYSUBENTRY' to the EXCLUDE_ATTRIBUTES to avoid failed.ldif if ppolicy is deactivated on the master.
Maybe we can also add the "pwdChangedTime", "pwdAccountLockedTime" attributes to the EXCLUDE_ATTRIBUTES list to avoid replication of ppolicy attributes at all. To benefit would be that we don't need to activate ppolicy on all dc non-master servers to avoid a failed.ldif (as there is no replication of the ppolicy attributes).
Fixed in errata3.2-3 and ucs_4.0-0. Advisory: 2014-10-30-univention-directory-replication.yaml
OK - UCS Master with ppolicy and 3.2-3 slave, replication works OK - YAML
http://errata.univention.de/ucs/3.2/240.html