Just to let the list know this was my own doing.
I had an ACL which denied write access to the pwdPolicySubentry because of the preceeding self auth statement.
access to attrs=sambaKickoffTime,shadowExpire,shadowMax,shadowWarning,shadowFlag,sambaAcctFlags,sambaPasswordHistory,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet,mail,pwdAccountLockedTime,pwdPolicySubentry,pwdChangedTime,pwdReset
by self auth
by group.base="cn=infrastructure,ou=example,ou=groups,dc=umlott,dc=lott" write
by dn.base="cn=ldapmgr,ou=Service,dc=umlott,dc=lott" write
by dn.base="cn=replicator,ou=Service,dc=umlott,dc=lott" write
by * none break
From: mlstarling31@hotmail.com
To: brooksct@hbcs.org
Subject: RE: pwdPolicySubentry & replication user
Date: Tue, 8 May 2012 17:05:03 -0400
CC: openldap-technical@openldap.org
I also have no issues if I run syncrepl with a provider and consumer. Only mirror mode. Perhaps I'll try downgrading openLDAP.
Thanks.
Mike
Date: Tue, 8 May 2012 16:54:25 -0400
From: brooksct@hbcs.org
To: mlstarling31@hotmail.com
CC: openldap-technical@openldap.org
Subject: RE: pwdPolicySubentry & replication user
I run that version without issues, but my infrastructure is still using good old reliable low-bandwidth slurpd, which is no longer supported.
I don’t think syncrepl is sufficiently reliable yet, although others disagree.
--Charlie
From: Michael Starling [mailto:mlstarling31@hotmail.com]
Sent: 2012 May 08 4:20 PM
To: quanah@zimbra.com
Cc: openldap
Subject: RE: pwdPolicySubentry & replication user
Re: Take the issue to Redhat
Easier said than done.
The policy is what it is but I didn't think it would do any harm to see if anyone has run into this issue.
> Date: Tue, 8 May 2012 12:22:58 -0700
> From: quanah@zimbra.com
> To: mlstarling31@hotmail.com
> CC: openldap-technical@openldap.org
> Subject: RE: pwdPolicySubentry & replication user
>
> --On Tuesday, May 08, 2012 3:07 PM -0400 Michael Starling
> <mlstarling31@hotmail.com> wrote:
>
> >
> > Unfortunately I have no choice as this is the latest available in the
> > RHEL tree and my company won't allow us to deviate and compile.
>
> Then you will need to take issues to RedHat since your company has an
> utterly broken policy.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
------------------ CONFIDENTIALITY NOTICE ---------------
This message, including any attachments, is for the sole use of the
intended recipient(s) and may contain privileged confidential information
protected by law. Any unauthorized review, use, disclosure or distribution
of this message is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of this message.
------------------ CONFIDENTIALITY NOTICE ---------------