I did a bit more testing about this.
I set up password policy as below. Only relevant part given.
pwdLockout: TRUE pwdMaxFailure: 3 pwdLockoutDuration: 90
1 - I did bind to the master server 3 times using wrong password. I failed to bind using the right password after that and failed. Expected 2- I did bind to the consumer server using the right password. Failed. Expected.
After 90 seconds everything works fine.
3- I did bind to the consumer server using the wrong password three times. I failed to bind to the consumer using the right password after that. Failed. Expected 4 - I did bind to the master server using the right password. Success. Not expected before elapsing 90 seconds.
I know the consumer server is not supposed to update the master server database, but is there any work around? Does openldap support multi master replication? Is this a limitation. Does this mean a client locked on consumer server - as set by the policy - would be able to bind to the master server overriding the policy.
One more doubt: where the failure counts are stored?
Regards, Sadique
Sadique Puthen wrote:
Hi,
Is it possible to replicate password policy related attributes using sync replication while using ppolicy overlay?
I am specifically asking about replicating pwdChangedTime, pwdAccountLockedTime, pwdHistory and etc... not about password configuration related attributes,
Regards, Sadique