Dear All,
I have an LDAP provider and its consumer running OpenLDAP 2.3.43, the replication mode being delta-syncrepl. Password policy is enabled on both servers.
I performed the following tests:
1- Tried N bind attempts to *LDAP provider* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on provider. All changes were replicated to the consumer. As a result it was *not* possible to bind to either the provider or the consumer using the correct password. Changing the password on the provider removed the pwdFailureTime and pwdAccountLockedTime attributes on the provider. Changes were replicated to the consumer. As a result it was possible to bind to either the provider or the consumer using the new password. All works as designed.
2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on consumer. As a result it was *not* possible to bind to the consumer using the correct password. Changing the password on the provider caused the pwdFailureTime attributes to be removed on the consumer. But the pwdAccountLockedTime attribute was still present in the binding DN on the consumer. As a result it was *still not* possible to bind to the consumer using the new password. Is this the expected behavior? I thought that changing the password on the provider would remove both the pwdFailureTime and pwdAccountLockedTime attributes on the consumer, thus allowing me to bind to the consumer.
Any help on the matter would be very much appreciated.
Thanks.
-- Sam