Hi, On Mon, 16 Dec 2013, [email protected] wrote: > Full_Name: Cl?ment OUDOT > Version: 2.4.38 > OS: GNU/Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (88.173.78.196) > > > I have a simple setup with a master (overlay syncprov + overlay ppolicy) and a > slave (syncrepl client, overlay ppolicy). > > 1. I lock my account in the slave > 2. I change the description attribute of my account a first time in the master > 3. My account is still locked in the slave > 4. I change the description attribute of my account a second time in the > master > 5. My account is no more locked in the slave: the password policy operational > attributes pwdFailureTime and pwdAccountUnlockTime were erased by the one of > the > master > > Seems like a control is done the first time that syncrepl update the entry > (the > first time, pwdAccountLockTime and pwdFailureTime are not erased), but the > second time the control is not done.
I have had a very similar setup for some time now and have never observed this kind of behaviour from the ppolicy overlay. I am quite confident it should work correctly in the situation you describe. There might be a valid reason for pwdAccountLockedtime and pwdFailureTime attributes disappearing like perhaps expiry of pwdLockoutDuration. Please see the account_locked() function in servers/slapd/overlay/ppolicy.c for this. It is of course also quite possible that you have hit a special corner case that nobody else has yet found. The best thing you could do would be to setup a small self contained test case to illustrate the problem. Greetings Christian -- Christian Kratzer CK Software GmbH Email: [email protected] Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
