On 3/21/19 10:09 AM, Jochen Keutel wrote:
we are using OpenLDAP 2.4.44 on Debian 9 in a distributed
scenario:
push based replication (means: using proxies with ldap backend). All
works fine, all attributes (normal and operational) are replicated. Only
one problem occurs:
- when we set pwdAccountLockedTime on the master it gets replicated
without problems.
- but if we remove this attribute on the master (means: we unlock the
account) this change is NOT replicated: The attribute is still there in
all replicas, so the accounts stay locked.
Is this by design - or is it a bug?
The usual answer:
Upgrade because many replication issues were fixed since 2.4.44 which
was released three years ago. IIRC some issues with operational
attributes were fixed.
Also this comes to mind:
https://www.openldap.org/its/index.cgi?findid=8927
Futhermore I'm not sure whether it will work correctly with push-based
replication. But try first to upgrade, e.g. based on LTB packages if you
don't want to build Debian packages yourself.
You could also try to use the stretch backport packages:
https://packages.debian.org/source/stretch-backports/openldap
I don't have any personal experience with these packages though.
Ciao, Michael.