[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5398) An account locked in a consumer is only unlocked when the password is changed two times



Full_Name: maria saez
Version: 2.4.8
OS: debian etch
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.145.230.2)



An account locked in a consumer needs two password changes in the provider to be
unlocked. 

The first time that we change the password in the provider the password change
is replicated in the consumer but the account remains locked. 

Can you help us?
We have openldap-2.4.7 and openldap-2.4.8

Is this situation normal?

We have the following configuration:

Provider
-------------------------------------------
database        bdb
suffix          "dc=xx,dc=es"
rootdn          "cn=config"
directory       /xx/data
index entryCSN eq
index entryUUID eq
index           objectClass     eq
index           mail    eq
# define the replica provider for this database
# (last directives in database section)
overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,dc=xx,dc=es"
ppolicy_use_lockout

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


Consumer
----------------------------------------------------------------
database        bdb
suffix          "dc=xx,dc=es"
rootdn          "cn=config"
directory       /xx/data
index entryCSN eq
index entryUUID eq
index           objectClass     eq
index           mail    eq

overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,dc=ua,dc=es"
ppolicy_use_lockout

syncrepl        rid=123
                provider=ldaps://xx.xx.es:xx/
                binddn="cn=config"
                bindmethod=simple
                credentials=xx
                searchbase="dc=xx,dc=es"
                schemachecking=on
                type=refreshAndPersist
                retry="60 +"

overlay syncprov
-------------------------------------------------------------------
The policy we have defined:

dn: cn=Standard Policy,ou=Policies,dc=xx,dc=es
cn: Standard Policy
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 10
pwdMaxAge: 120
pwdMinLength: 5
pwdGraceAuthnLimit: 3
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 120
pwdSafeModify: TRUE
pwdMinAge: 120
-------------------------------------------------------------