[email protected] wrote: > Full_Name: maria saez > Version: 2.4.8 > OS: debian etch > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (193.145.230.2) > > > > An account locked in a consumer needs two password changes in the provider to > be > unlocked.
I'm unable to reproduce this behavior in current code. > The first time that we change the password in the provider the password change > is replicated in the consumer but the account remains locked. A single password change on the provider results in unlocking on the consumer for me. > > Can you help us? > We have openldap-2.4.7 and openldap-2.4.8 > > Is this situation normal? > > We have the following configuration: > > Provider > ------------------------------------------- > database bdb > suffix "dc=xx,dc=es" > rootdn "cn=config" > directory /xx/data > index entryCSN eq > index entryUUID eq > index objectClass eq > index mail eq > # define the replica provider for this database > # (last directives in database section) > overlay ppolicy > ppolicy_default "cn=Standard Policy,ou=Policies,dc=xx,dc=es" > ppolicy_use_lockout > > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 100 > > > Consumer > ---------------------------------------------------------------- > database bdb > suffix "dc=xx,dc=es" > rootdn "cn=config" > directory /xx/data > index entryCSN eq > index entryUUID eq > index objectClass eq > index mail eq > > overlay ppolicy > ppolicy_default "cn=Standard Policy,ou=Policies,dc=ua,dc=es" > ppolicy_use_lockout > > syncrepl rid=123 > provider=ldaps://xx.xx.es:xx/ > binddn="cn=config" > bindmethod=simple > credentials=xx > searchbase="dc=xx,dc=es" > schemachecking=on > type=refreshAndPersist > retry="60 +" > > overlay syncprov > ------------------------------------------------------------------- > The policy we have defined: > > dn: cn=Standard Policy,ou=Policies,dc=xx,dc=es > cn: Standard Policy > objectClass: top > objectClass: device > objectClass: pwdPolicy > pwdAttribute: 2.5.4.35 > pwdLockout: TRUE > pwdLockoutDuration: 0 > pwdInHistory: 6 > pwdCheckQuality: 2 > pwdExpireWarning: 10 > pwdMaxAge: 120 > pwdMinLength: 5 > pwdGraceAuthnLimit: 3 > pwdAllowUserChange: TRUE > pwdMustChange: TRUE > pwdMaxFailure: 3 > pwdFailureCountInterval: 120 > pwdSafeModify: TRUE > pwdMinAge: 120 > ------------------------------------------------------------- > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
