we are using OpenLDAP 2.4.44 on Debian 9 in a distributed scenario:
push based replication (means: using proxies with ldap backend). All
works fine, all attributes (normal and operational) are replicated. Only
one problem occurs:
- when we set pwdAccountLockedTime on the master it gets replicated
- but if we remove this attribute on the master (means: we unlock the
account) this change is NOT replicated: The attribute is still there in
all replicas, so the accounts stay locked.
Is this by design - or is it a bug?