ppolicy+syncrpl: pwd* attributes lost

["Chris G. Sellers" <chris.sellers@nitle.org>]

I have n-way multimaster replication setup.  Works great.

I have slapo_ppolicy setup, it too works.

the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server.

So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime

The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted

The same goes if I use server2 and look at server1.

At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact.  Any ideas?  I know I must have something missing but I'm just not seeing it.

---

password-hash   {SSHA}

###########################################################################

database        bdb

suffix          "dc=nitle,dc=org"

rootdn          "cn=MASTERUSER,dc=nitle,dc=org"

rootpw          {SSHA}WAYTOOSECRETFORYOU

directory       /home/ldap/openldap/var/openldap-data

serverID 1

limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited

syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple

  credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub

  interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes

  attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"

#  syncdata=accesslog

syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple

        credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub

        interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes

        attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"

#       syncdata=accesslog

overlay syncprov

mirrormode true

## INDICES TO MAINTAIN

index   objectClass                                             eq

index   cn,mail,surname,givenname                               eq,subinitial

index   uidNumber,gidNumber,memberuid,member,uniqueMember       eq

## PASSWORD POLICY OVERLAY ##

overlay ppolicy

ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org"

ppolicy_hash_cleartext

# ppolicy_use_lockout

++++++++++++++++++++++++++++++++++++++

Chris G. Sellers |  Internet Engineer      |   NITLE

734.661.2318 |  chris.sellers@nitle.org

Jabber: csellers@nitle.org  | AIM: imthewherd