On Fri, Oct 10, 2008 at 4:04 PM, Sam Tran stlist@gmail.com wrote:
On Thu, Oct 9, 2008 at 3:53 PM, Sam Tran stlist@gmail.com wrote:
Dear All,
[snip]
2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on consumer. As a result it was *not* possible to bind to the consumer using the correct password. Changing the password on the provider caused the pwdFailureTime attributes to be removed on the consumer. But the pwdAccountLockedTime attribute was still present in the binding DN on the consumer. As a result it was *still not* possible to bind to the consumer using the new password. Is this the expected behavior? I thought that changing the password on the provider would remove both the pwdFailureTime and pwdAccountLockedTime attributes on the consumer, thus allowing me to bind to the consumer.
Now it is becoming more confusing. I performed the same test #2. After changing the password once on the provider, only the pwdFailureTime attributes were deleted on the consumer. If I changed the password a second time on the provider, the pwdAccountLockedTime attribute on the consumer gets deleted this time ... Is it how it is supposed to work?
Just saw that bug report ITS #5398 regarding OL 2.4.x: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5398;selectid=5398 But it has been unanswered since last February.
The same behavior can be observed in OL 2.3.43.
-- Sam