--On Thursday, January 12, 2017 10:20 AM -0500 Beth Halsema bhalsema@purdue.edu wrote:
Quanah, are you suggesting that the ppolicy attributes (i.e. pwdGraceUseTime, pwdFailureTime, etc.) not be replicated?
Hi Beth,
This is clearly noted in the slapo-ppolicy(5) man page:
Note that the current IETF Password Policy proposal does not define how these operational attributes are expected to behave in a replication environment. In general, authentication attempts on a slave server only affect the copy of the operational attributes on that slave and will not affect any attributes for a user's entry on the master server. Operational attribute changes resulting from authentication attempts on a master server will usually replicate to the slaves (and also overwrite any changes that originated on the slave). These behaviors are not guaranteed and are subject to change when a formal specification emerges.
The correct fix is to modify your syncrepl configuration so that those attributes are ignored by the syncrepl client. There is no patch to the code necessary.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com