From clem.oudot@gmail.com Wed Dec 18 14:34:31 2013
From: clem.oudot@gmail.com
To: openldap-bugs@openldap.org
Subject: Re: (ITS#7766) Account unlocked in slave after two modifications on a
 master (overlay ppolicy)
Date: Wed, 18 Dec 2013 14:34:31 +0000
Message-ID: <201312181434.rBIEYVVa029965@boole.openldap.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7234284967910649656=="

--===============7234284967910649656==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

--089e0160b79ae9bb0c04edcfeff1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

2013/12/18 <ck(a)cksoft.de>

>   This message is in MIME format.  The first part should be readable text=
,
>   while the remaining parts are likely unreadable without MIME-aware tool=
s.
>
> --4178219828-444410844-1387368134=3D:27797
> Content-Type: TEXT/PLAIN; charset=3DUTF-8; format=3Dflowed
> Content-Transfer-Encoding: 8BIT
>
> Hi,
>
> On Wed, 18 Dec 2013, Cl=E9ment OUDOT wrote:
> <snipp/>
> > Well, I checked that the pwdLockoutDuration was correctly set (The valu=
e
> > in my case is 1200, so 20 minutes, much more than my tests). Other
> > proof, the values of pwdFailureTime are not erased, but replaced by
> > those of the master.
> >
> >
> >> It is of course also quite possible that you have hit a special corner
> >> case that nobody else has yet found.
> >
> >
> > I think so. I have to say that I use standard syncrepl, not
> delta-syncrepl.
> >
> >
> >>
> >> The best thing you could do would be to setup a small self contained
> >> test case to illustrate the problem.
> >>
> >
> > I will try to, but seems really easy to reproduce : configure master an=
d
> > slave with ppolicy, lock an account in slave, update same account on
> > master (change description) a first time and a second time.
>
> are you sure the account lock actually arrives on the master ?
>
> Are you using olcPPolicyForwardUpdates to actually get the account
> locked on the master and not only on the slaves ?
>
> If you do not have all the lock attributes on the master and you modify
> the entry it will get replaced on the slaves.
>
> Can you post your master and slave configs somewhere ?
>
>

I sent it by mail but I think it is too big and queued. So here is all
configuration and test result:

http://pastebin.com/earKiHnH

Cl=E9ment.

--089e0160b79ae9bb0c04edcfeff1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">2013/12/18  <span dir=3D"ltr">&lt;<a href=3D"mailto:ck(a)cksoft.de" t=
arget=3D"_blank">ck(a)cksoft.de</a>&gt;</span><br><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex">
=A0 This message is in MIME format. =A0The first part should be readable te=
xt,<br>
=A0 while the remaining parts are likely unreadable without MIME-aware tool=
s.<br>
<br>
--4178219828-444410844-1387368134=3D:27797<br>
Content-Type: TEXT/PLAIN; charset=3DUTF-8; format=3Dflowed<br>
Content-Transfer-Encoding: 8BIT<br>
<br>
Hi,<br>
<br>
On Wed, 18 Dec 2013, Cl=E9ment OUDOT wrote:<br>
&lt;snipp/&gt;<br>
<div class=3D"im">&gt; Well, I checked that the pwdLockoutDuration was corr=
ectly set (The value<br>
&gt; in my case is 1200, so 20 minutes, much more than my tests). Other<br>
&gt; proof, the values of pwdFailureTime are not erased, but replaced by<br=
>
&gt; those of the master.<br>
&gt;<br>
&gt;<br>
&gt;&gt; It is of course also quite possible that you have hit a special co=
rner<br>
&gt;&gt; case that nobody else has yet found.<br>
&gt;<br>
&gt;<br>
&gt; I think so. I have to say that I use standard syncrepl, not delta-sync=
repl.<br>
&gt;<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; The best thing you could do would be to setup a small self contain=
ed<br>
&gt;&gt; test case to illustrate the problem.<br>
&gt;&gt;<br>
&gt;<br>
&gt; I will try to, but seems really easy to reproduce : configure master a=
nd<br>
&gt; slave with ppolicy, lock an account in slave, update same account on<b=
r>
&gt; master (change description) a first time and a second time.<br>
<br>
</div>are you sure the account lock actually arrives on the master ?<br>
<br>
Are you using olcPPolicyForwardUpdates to actually get the account<br>
locked on the master and not only on the slaves ?<br>
<br>
If you do not have all the lock attributes on the master and you modify<br>
the entry it will get replaced on the slaves.<br>
<br>
Can you post your master and slave configs somewhere ?<br>
<div class=3D"im"><br></div></blockquote><div><br><br></div><div>I sent it =
by mail but I think it is too big and queued. So here is all configuration =
and test result:<br><br><a href=3D"http://pastebin.com/earKiHnH">http://pas=
tebin.com/earKiHnH</a><br>
<br></div><div>Cl=E9ment.<br></div></div></div></div>

--089e0160b79ae9bb0c04edcfeff1--



--===============7234284967910649656==--