On Mon, 9 Jan 2017, Quanah Gibson-Mount wrote:

Date: Mon, 9 Jan 2017 12:46:58 To: Beth Halsema bhalsema@purdue.edu, OpenLDAP Technical List openldap-technical@openldap.org From: Quanah Gibson-Mount quanah@symas.com Subject: Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue

--On Monday, January 09, 2017 9:53 AM -0500 Beth Halsema bhalsema@purdue.edu wrote:

...

We have submitted OpenLDAP-ITS #8561 with a unit test and a possible patch to the ppolicy overlay.

If anyone else has run into this, we would be interested in any other work- arounds that have been used to address the issue.

Hi Beth,

I'm guessing that ppolicy is writing items that are not supposed to be replicated to the accesslog. This issue (ITS8561) and ITS8444 I think are generally similar items, in that while the accesslog is writing all write operations, replication requires that some write operations not be present in the accesslog. I'll be discussing with the other team members on how best to handle what are somewhat conflicting requirements.

Regards, Quanah

Quanah, are you suggesting that the ppolicy attributes (i.e. pwdGraceUseTime, pwdFailureTime, etc.) not be replicated?

If so, that would make me sad. :) I believe that their replication is quite beneficial for OpenLDAP clusters toward avoiding:

1. The behavior being inconsistent, depending on which node is used (one node locks out, while the others haven't yet reached that state). 2. A user potentially having pwdMaxFailure * (the number of nodes in the cluster) failures before being locked out.

If not, then I am no longer sad. :)

I appreciate your time and effort.

Thank you, Beth ------------------------------------------------------------------------- Beth A. Halsema - GSEC, GSSP-Java email:bhalsema@purdue.edu Sofware Engineer, Identity & Access Management OVPIT - IT Security and Policy 3495 Kent Avenue, Suite 100 Fax : (765) 464-2233 West Lafayette, IN 47906 Campus Mail: ROSS