Dear All,
I have an LDAP provider and its consumer running OpenLDAP 2.3.43, the replication mode being delta-syncrepl. Password policy is enabled on both servers.
I performed the following tests:
1- Tried N bind attempts to *LDAP provider* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on provider. All changes were replicated to the consumer. As a result it was *not* possible to bind to either the provider or the consumer using the correct password. Changing the password on the provider removed the pwdFailureTime and pwdAccountLockedTime attributes on the provider. Changes were replicated to the consumer. As a result it was possible to bind to either the provider or the consumer using the new password. All works as designed.
2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on consumer. As a result it was *not* possible to bind to the consumer using the correct password. Changing the password on the provider caused the pwdFailureTime attributes to be removed on the consumer. But the pwdAccountLockedTime attribute was still present in the binding DN on the consumer. As a result it was *still not* possible to bind to the consumer using the new password. Is this the expected behavior? I thought that changing the password on the provider would remove both the pwdFailureTime and pwdAccountLockedTime attributes on the consumer, thus allowing me to bind to the consumer.
Any help on the matter would be very much appreciated.
Thanks.
-- Sam
Do you have specific attributes listed in your replication agreement or are you using the default *,+ for all normal and hidden attributes ?
Sellers
Is this the expected behavior? I thought that changing the password on the provider would remove both the pwdFailureTime and pwdAccountLockedTime attributes on the consumer, thus allowing me to bind to the consumer.
Any help on the matter would be very much appreciated.
Thanks.
-- Sam
/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\ | Chris G. Sellers | Internet Engineer | NITLE | | 734.661.2318 | chris.sellers@nitle.org | | Jabber: csellers@nitle.org | AIM: imthewherd | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/
On Thu, Oct 9, 2008 at 4:43 PM, Chris G. Sellers chris.sellers@nitle.org wrote:
Do you have specific attributes listed in your replication agreement or are you using the default *,+ for all normal and hidden attributes ?
I didn't specify a list of attributes in my syncrepl definition on the consumer, which means the default "*,+" is being used.
Did you experience a different behavior when trying test #2?
Thanks.
-- Sam
On Thu, Oct 9, 2008 at 3:53 PM, Sam Tran stlist@gmail.com wrote:
Dear All,
[snip]
2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on consumer. As a result it was *not* possible to bind to the consumer using the correct password. Changing the password on the provider caused the pwdFailureTime attributes to be removed on the consumer. But the pwdAccountLockedTime attribute was still present in the binding DN on the consumer. As a result it was *still not* possible to bind to the consumer using the new password. Is this the expected behavior? I thought that changing the password on the provider would remove both the pwdFailureTime and pwdAccountLockedTime attributes on the consumer, thus allowing me to bind to the consumer.
Now it is becoming more confusing. I performed the same test #2. After changing the password once on the provider, only the pwdFailureTime attributes were deleted on the consumer. If I changed the password a second time on the provider, the pwdAccountLockedTime attribute on the consumer gets deleted this time ... Is it how it is supposed to work?
Any hints please?
Thanks.
-- Sam
On Fri, Oct 10, 2008 at 4:04 PM, Sam Tran stlist@gmail.com wrote:
On Thu, Oct 9, 2008 at 3:53 PM, Sam Tran stlist@gmail.com wrote:
Dear All,
[snip]
2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and wrong password. N pwdFailureTime attributes and one pwdAccountLockedTime attribute were added to the binding DN on consumer. As a result it was *not* possible to bind to the consumer using the correct password. Changing the password on the provider caused the pwdFailureTime attributes to be removed on the consumer. But the pwdAccountLockedTime attribute was still present in the binding DN on the consumer. As a result it was *still not* possible to bind to the consumer using the new password. Is this the expected behavior? I thought that changing the password on the provider would remove both the pwdFailureTime and pwdAccountLockedTime attributes on the consumer, thus allowing me to bind to the consumer.
Now it is becoming more confusing. I performed the same test #2. After changing the password once on the provider, only the pwdFailureTime attributes were deleted on the consumer. If I changed the password a second time on the provider, the pwdAccountLockedTime attribute on the consumer gets deleted this time ... Is it how it is supposed to work?
Just saw that bug report ITS #5398 regarding OL 2.4.x: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5398;selectid=5398 But it has been unanswered since last February.
The same behavior can be observed in OL 2.3.43.
-- Sam
openldap-software@openldap.org
-
Chris G. Sellers -
Sam Tran