Ondřej, sorry for the late response. Checking it again it looks as if those attributes *are* present for most entries, and those where they are missing it seems the users never logged in since the password policy was in effect. Sorry for the noise, but it seems I had checked exactly those users. (I have the task to delete obsolete and inactive users from the database, but it seems some functional users never log in; maybe su is the culprit)
Kind regards, Ulrich Windl > -----Original Message----- > From: Ondřej Kuzník <[email protected]> > Sent: Tuesday, September 9, 2025 1:08 PM > To: Windl, Ulrich <[email protected]> > Cc: [email protected] > Subject: [EXT] Re: slapcat dump seems incomplete (attributes missing) > > Sicherheits-Hinweis: Diese E-Mail wurde von einer Person außerhalb des > UKR gesendet. Seien Sie vorsichtig vor gefälschten Absendern, wenn Sie auf > Links klicken, Anhänge öffnen oder weitere Aktionen ausführen, bevor Sie > die Echtheit überprüft haben. > > On Mon, Sep 01, 2025 at 07:17:04AM +0000, Windl, Ulrich wrote: > > Hi! > > > > After a long time I checked the database dump I had created with > > slapcat in OpenLDAP 2.5. I always thought that all attributes from the > > database were saved, but it seems some attributes related to password > > policy aren't: > > Specifically I cannot find the pwdChangedTime that is there when > > searching for it. I also miss the pwdHistory, but the > > pwdPolicySubentry attribute is there. > > > > When I compare the dump with the last one created with OpenLDAP 2.4, I > > see that those attributes (pwdChangedTime, pwdHistory) are still > > there. > > > > That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my > > configuration? As I understand it, ACLs should not play a role for > > slapcat, right? > > The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F > $CONFDIR -g -l "$TMPFILE1" > > Hi Ulrich, > running test022-ppolicy from the test suite, then slapcat, these > attributes are returned just fine. Make sure you're running the > ldapsearch and slapcat against the same server. > > It still looks like an ACL issue to me, if it's a replica you are > running slapcat on, it is actually allowed to read those attributes from > its provider's database? Because if not it will never receive them and > if you're in a deltasync scenario, you've just violated rule number 1 of > deltasync - unrestricted read access to main DB is essential, otherwise > replication **will not** do the right thing. > > Regards, > > -- > Ondřej Kuzník > Senior Software Engineer > Symas Corporation http://www.symas.com > Packaged, certified, and supported LDAP solutions powered by OpenLDAP
