Issue 7563 - slapd modifies attribute value of pwdAttribute
Summary: slapd modifies attribute value of pwdAttribute
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.33
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-05 08:00 UTC by dieter@dkluenter.de
Modified: 2019-04-18 01:23 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description dieter@dkluenter.de 2013-04-05 08:00:50 UTC
Full_Name: 
Version: 2.4.33
OS: openSuSE-12.3-x86_64
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (91.65.235.202)


the pwdAttribute type requires a syntax of 1.3.6.1.4.1.1466.115.121.1.38,
according to man slapo-ppolicy and ppolicy.schema.
when adding a policy, the value of pwdAttribute gets changend from  OID 2.5.4.35
to userPassword.
In a replicated system syncrepl complaints about
syncrepl_message_to_entry: rid=001 mods check (pwdAttribute: value #0 invalid
per syntax) do_syncrepl: rid=001 rc 21 retrying.

-Dieter
Comment 1 Howard Chu 2013-04-05 08:25:09 UTC
dieter@dkluenter.de wrote:
> Full_Name:
> Version: 2.4.33
> OS: openSuSE-12.3-x86_64
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (91.65.235.202)
>
>
> the pwdAttribute type requires a syntax of 1.3.6.1.4.1.1466.115.121.1.38,
> according to man slapo-ppolicy and ppolicy.schema.
> when adding a policy, the value of pwdAttribute gets changend from  OID 2.5.4.35
> to userPassword.

You are mistaken. slapd never changes this attribute from what the user stored.

> In a replicated system syncrepl complaints about
> syncrepl_message_to_entry: rid=001 mods check (pwdAttribute: value #0 invalid
> per syntax) do_syncrepl: rid=001 rc 21 retrying.

This error will go away if you configure the ppolicy overlay on the consumer.
Closing this ITS.
>
> -Dieter
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Michael Ströder 2013-04-05 16:38:50 UTC
Howard, please try yourself first before answering.
Dieter is right here.

Example:

dn: cn=Default Password Policy,ou=Policies,dc=stroeder,dc=de
changetype: modify
delete: pwdAttribute
pwdAttribute: userPassword
-
add: pwdAttribute
pwdAttribute: 2.5.4.35
-

Reading it:

dn: cn=Default Password Policy,ou=Policies,dc=stroeder,dc=de
cn: Default Password Policy
[..]
pwdAttribute: userPassword
[..]

I vaguely remember I had to implement a work-around in web2ldap to deal with
that when generating delta modification data when the user edits such an entry.

Ciao, Michael.


Comment 3 Michael Ströder 2013-04-05 21:39:44 UTC
Michael Ströder wrote:
> Howard, please try yourself first before answering.
> Dieter is right here.
> 
> Example:
> 
> dn: cn=Default Password Policy,ou=Policies,dc=stroeder,dc=de
> changetype: modify
> delete: pwdAttribute
> pwdAttribute: userPassword
> -
> add: pwdAttribute
> pwdAttribute: 2.5.4.35
> -
> 
> Reading it:
> 
> dn: cn=Default Password Policy,ou=Policies,dc=stroeder,dc=de
> cn: Default Password Policy
> [..]
> pwdAttribute: userPassword
> [..]
> 
> I vaguely remember I had to implement a work-around in web2ldap to deal with
> that when generating delta modification data when the user edits such an entry.

BTW: This has nothing to do with replication.

Howard Chu wrote before:

"Also as a general rule the X.500 data model requires that a server store and
return exactly what the user provided."

see http://www.openldap.org/lists/openldap-technical/201303/msg00189.html

Ciao, Michael.

Comment 4 Quanah Gibson-Mount 2017-04-12 15:22:48 UTC
moved from Incoming to Software Bugs
Comment 5 OpenLDAP project 2019-04-18 01:23:34 UTC
Not a bug
Comment 6 Quanah Gibson-Mount 2019-04-18 01:23:34 UTC
changed notes
changed state Open to Closed