Ok, I did find part of my error.  It was not explicitly named in the syncrepl statement.  I added pwdChangedTime and pwdHistory to the syncrepl attrs line and it does sync them now -- but only if they already exist.  The account does not have a pwdChangedTime, and you change the password on servera, serverb does not get the attribute populated.  I will have to monitor the logs to see.

Thanks for making me think different about the problem.


--line changed --
      attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"


      attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry,pwdChangedTime,pwdHistory"


On Jun 26, 2008, at 9:07 AM, Gavin Henry wrote:

Chris G. Sellers wrote:
I have n-way multimaster replication setup.  Works great.
I have slapo_ppolicy setup, it too works.
the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server.
So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime
The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted
The same goes if I use server2 and look at server1.
At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact.  Any ideas?  I know I must have something missing but I'm just not seeing it.
---
password-hash   {SSHA}
###########################################################################
database        bdb
suffix          "dc=nitle,dc=org"
rootdn          "cn=MASTERUSER,dc=nitle,dc=org"
rootpw          {SSHA}WAYTOOSECRETFORYOU
directory       /home/ldap/openldap/var/openldap-data
serverID 1
limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited
syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple
credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub
interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes
attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"
#  syncdata=accesslog
syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple
      credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub
      interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes
      attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"
#       syncdata=accesslog
overlay syncprov
mirrormode true
## INDICES TO MAINTAIN
index   objectClass                                             eq
index   cn,mail,surname,givenname                               eq,subinitial
index   uidNumber,gidNumber,memberuid,member,uniqueMember       eq
## PASSWORD POLICY OVERLAY ##
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org"
ppolicy_hash_cleartext
# ppolicy_use_lockout
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers |  Internet Engineer      |   NITLE
734.661.2318 |  chris.sellers@nitle.org <mailto:chris.sellers@nitle.org>
Jabber: csellers@nitle.org <mailto:csellers@nitle.org>  | AIM: imthewherd


Where are your ACLs?

--
Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/

++++++++++++++++++++++++++++++++++++++
Chris G. Sellers |  Internet Engineer      |   NITLE
734.661.2318 |  chris.sellers@nitle.org
Jabber: csellers@nitle.org  | AIM: imthewherd