From: Michael Ströder Sent: Tuesday, April 29, 2014 12:50 PM
AFAICS nothing prevents you from loading the schema first on all replicas. And after that load the overlay.
The attribute in question is not defined in the external schema, in fact, it is commented out:
#5.3.4 pwdFailureTime # # This attribute holds the timestamps of the consecutive authentication # failures. # # ( 1.3.6.1.4.1.42.2.27.8.1.19 # NAME 'pwdFailureTime' # DESC 'The timestamps of the last consecutive authentication # failures' # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # USAGE directoryOperation )
The actual definition used by openldap is embedded in the schema_info within the ppolicy module itself. So, having the external schema loaded on one replica, and the module itself in use on another, still results in failed replication.