Thanks Norkio,  I think what I found is probably going to be rather telling.

[CrunkOps@dc01-server01 ~]$ sudo grep 'nsslapd-pwpolicy-local'
/etc/dirsrv/slapd-dc01-server01/dse.ldif
nsslapd-pwpolicy-local: on
[CrunkOps@dc01-server01 ~]$

[CrunkOps@dc01-server02 ~]$ sudo grep 'nsslapd-pwpolicy-local'
/etc/dirsrv/slapd-dc01-server02/dse.ldif
nsslapd-pwpolicy-local: on
[CrunkOps@dc01-server02 ~]$

[CrunkOps@dc02-server01 ~]$ sudo grep 'nsslapd-pwpolicy-local'
/etc/dirsrv/slapd-dc02-server01/dse.ldif
[CrunkOps@dc02-server01 ~]$
[CrunkOps@dc02-server01 ~]$ date
Wed Sep 30 16:31:07 CDT 2015

:D

I'm pretty sure what I need to try next...

Thanks,

Ryan

On Wed, Sep 30, 2015 at 4:13 PM, Noriko Hosoi <[email protected]> wrote:

> On 09/30/2015 12:08 PM, Ryan Langford wrote:
>
> Hello,
>
> I have a curious situation with our LDAP ecosystem at work.  I have 2 LDAP
> hosts in one data center (one is a replication supplier, one is a consumer)
> and 1 consumer host in a separate data center(DC-B).
>
>
> The issue is expired users can still successfully authenticate against the
> consumer host DC-B, even though LDAP shows that the password is expired.
>
> I've compiled outputs from each host into the following paste:
> https://paste.fedoraproject.org/273218/44362838/
>
> We are using an old version of 389-ds (as you can see from the paste),
> version 1.2.9.9, and as far as I can tell (i'm a relative LDAP neophyte)
> our configuration and replication properties are as expected, but I'm not
> sure if there might be a permissions issue, some other issue, or a bug in
> the old version we're using.
>
> What else should I check next?
>
> [CrunkOps@dc01-server01 ~]$ ldapsearch -x -D "cn=directory manager" -W -b
> "cn=config" -s base nsslapd-pwpolicy-local
> [CrunkOps@dc02-server01 ~]$ ldapsearch -x -D "cn=directory manager" -W -b
> "cn=config" -s base nsslapd-pwpolicy-local
>
> [CrunkOps@dc02-server01 ~]$ date
> (sorry, this is just to laugh...)
>
> Thanks,
> --noriko
>
> Thanks,
>
> Ryan
>
>
> --
> 389 users mailing 
> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> [email protected]
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

Reply via email to