On Wed, Sep 22, 2010 at 10:00:29AM +0200, Jonathan CLARKE wrote:
The slave has one entry where pwdAccountLockedTime is missing. This is an account that was locked by admin action between the initial load data being dumped from the master server and the new slave being started up, so it should have been replicated from one master or the other by syncrepl. Every other attribute in the entry is identical, including the modifyTimestamp which records when the pwdAccountLockedTime attribute was added. I know that the entry did not change after that, as I have a full changelog on both masters.
This is most likely a separate issue. Updates to the ppolicy operational attributes are not replicated like "standard" changes, but instead written directly into the local database. So it's to be expected that you see differences on these attributes between syncrepl consumers/providers.
That is true for updates that result from local Bind operations (recording password failures, lockouts due to password failures etc). In my case the missing update reflected administrative action taken on the master server, and thus it should have propagated. The modifyTimestamp did propagate, but the actual admin action did not...
See the ppolicy_forward_updates option in slapo-ppolicy(5) for details and a possible workaround.
That only applies to a Bind-induced change propagating against the normal flow of replication. My case was the reverse. Unfortunately the machines concerned are now in production service so it will be hard to replicate the circumstances.
Andrew