Hi Brad,

pwdFailureTime is an operational attribute, I don't think any user can modify it on any instance. May be you should try to modify it on the master to see if it comes from this assumption.

Esteban


On Thu, Mar 20, 2014 at 11:33 AM, Brad dameron <serpent6877@hotmail.com> wrote:
OpenLDAP 2.4.23-26 on CentOS 5. I am trying to get the pwdFailureTime updated on the master when the slave recieves a password failure. Here is my config. It's pretty simple and basic. No TLS.

Master:

access to attrs=userPassword
        by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write
        by dn.exact="cn=replication,dc=test,dc=net" read
        by self         write
        by anonymous    auth
        by *            none
access to *
        by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write
        by dn.exact="cn=replication,dc=test,dc=net" write
        by self         write
        by users        read
        by anonymous    read
        by *            none



Slave:

overlay chain
chain-uri               ldap://172.16.0.84:389
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=simple
                        binddn="cn=replication,dc=test,dc=net"
                        credentials="MyPasswd"
                        mode="self"
chain-return-error      TRUE

# Password Policy
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=test,dc=net
ppolicy_use_lockout
ppolicy_forward_updates


# Slave Replication
syncrepl rid=101
        provider=ldap://172.16.0.84:389
        type=refreshAndPersist
        interval=00:00:01:00
        retry="60 10 300 +"
        searchbase="dc=test,dc=net"
        schemachecking=off
        bindmethod=simple
        binddn="cn=replication,dc=test,dc=net"
        credentials="MyPasswd"
updateref               "ldap://172.16.0.84:389"



I see the connection on the master but it gives a permission error:


Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD dn="cn=testuser,ou=People,dc=test,dc=net"
Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD attr=pwdFailureTime
Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 RESULT tag=103 err=50 text=


I read that you maybe need authzTo added to the binddn for the chain? Or is this only for TLS?

I tried adding this ldif:

dn: cn=replication,dc=test,dc=net
changetype: modify
add: authzTo
authzTo: *

And even set the:

chain-idassert-authzFrom "*"

in the chain. But it always gives me the error code 50 not enough permissions. I believe it is supposed to give access to the user to MOD the pwdFailureTime tribute knowing it is coming from a relay. But I can't find very specific docs on this or see what is wrong. Any help apreciated.

Thanks,
Brad