Hi,
On Mon, 16 Dec 2013, coudot@linagora.com wrote:
Full_Name: Cl?ment OUDOT Version: 2.4.38 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.173.78.196)
I have a simple setup with a master (overlay syncprov + overlay ppolicy) and a slave (syncrepl client, overlay ppolicy).
- I lock my account in the slave
- I change the description attribute of my account a first time in the master
- My account is still locked in the slave
- I change the description attribute of my account a second time in the master
- My account is no more locked in the slave: the password policy operational
attributes pwdFailureTime and pwdAccountUnlockTime were erased by the one of the master
Seems like a control is done the first time that syncrepl update the entry (the first time, pwdAccountLockTime and pwdFailureTime are not erased), but the second time the control is not done.
I have had a very similar setup for some time now and have never observed this kind of behaviour from the ppolicy overlay. I am quite confident it should work correctly in the situation you describe.
There might be a valid reason for pwdAccountLockedtime and pwdFailureTime attributes disappearing like perhaps expiry of pwdLockoutDuration. Please see the account_locked() function in servers/slapd/overlay/ppolicy.c for this.
It is of course also quite possible that you have hit a special corner case that nobody else has yet found.
The best thing you could do would be to setup a small self contained test case to illustrate the problem.
Greetings Christian