Is it possible to synchronize the same ppolicy across different suffixes on the same server? I would have thought referrals would take care of this and they to an extent but when the suffix that doesn't actually contain the policy entry gets a lockout request from failed attempts, pwdAccountLockedTime gets recorded on the same suffix from where it was originating -not the one being referenced.

In the manual it states that ppolicy_forward_updates should take care of this but it requires updateref and the chain overlay (which must be setup under back_ldap) in order to work. The problem is when I setup back_ldap and point its database to the original policy entry, it complains that a previous database declaration has already claimed it -which is true because I have the database containing that policy entry on the same machine.

Is there a way to do this or am I going about this wrong?

Thanks, Tyler