[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication and pwdAccountLockedTime

To: Jochen Keutel <mlists@keutel.de>, openldap-technical@openldap.org
Subject: Re: Replication and pwdAccountLockedTime
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 21 Mar 2019 12:36:55 +0100
Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
In-reply-to: <6b8e8834-ee48-8f65-a94a-65b3c4d22cf5@keutel.de>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <6b8e8834-ee48-8f65-a94a-65b3c4d22cf5@keutel.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.2

On 3/21/19 10:09 AM, Jochen Keutel wrote:
>   we are using OpenLDAP 2.4.44 on Debian 9 in a distributed scenario:
> push based replication (means: using proxies with ldap backend). All
> works fine, all attributes (normal and operational) are replicated. Only
> one problem occurs:
> - when we set pwdAccountLockedTime on the master it gets replicated
> without problems.
> - but if we remove this attribute on the master (means: we unlock the
> account) this change is NOT replicated: The attribute is still there in
> all replicas, so the accounts stay locked.
> 
> Is this by design - or is it a bug?

The usual answer:
Upgrade because many replication issues were fixed since 2.4.44 which
was released three years ago. IIRC some issues with operational
attributes were fixed.

Also this comes to mind:
https://www.openldap.org/its/index.cgi?findid=8927

Futhermore I'm not sure whether it will work correctly with push-based
replication. But try first to upgrade, e.g. based on LTB packages if you
don't want to build Debian packages yourself.

You could also try to use the stretch backport packages:
https://packages.debian.org/source/stretch-backports/openldap
I don't have any personal experience with these packages though.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Replication and pwdAccountLockedTime
  - From: Jochen Keutel <mlists@keutel.de>

Prev by Date: Replication and pwdAccountLockedTime
Next by Date: olcDbConnectionPoolMax documentation
Index(es):
- Chronological
- Thread