On Monday, 5 July 2010 08:35:02 Christian Bösch wrote:
now i have tested this and got the following conclusion:
ppolicy_forward TRUE on the consumer: everything is well synced ldapsearch on the consumer with wrong binding password gets search results. not so on the provider. here i get ldap_bind: Invalid credentials (49)
So, the new feature does not seem to work correctly. Has someone filed an ITS?
ppolicy_forward FALSE on the consumer: ldapsearch with wrong password results on both machines in invalid credentials. i'm wondering that pwdHistory is synced well however...
pwdHistory can only be updated on the provider, so this is not a concern.
pwdFailureTime is only synced from provider to consumer. if failed authentication takes place on the consumer, then pwdFailureTime is added only on the consumer locally which is a problem if i want to use lockout.
This is the same as the behaviour prior to this feature. There are workarounds.
Regards, Buchan