We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy.
When a user tries to bind with incorrect credential, the master server gets populated with pwdFailureTime attribute.
After 4 times of entering wrong credentials, pwdAccountLockedTime is added to that user.

Our problem is that the secondary server (using syncrepl) is not replicating the pwd* values.
I've noticed that neither entryCSN nor contextCSN are being updated (on the master) when pwdFailureTime is added to the user (I'm not sure if it should actually change).
But, when we change any other attribute (userPassword, etc) on the master, that does change entryCSN, and all pwd* attributes do get updated in the seconday server.

appreciate your help.