Re: ppolicy and syncrepl aclaration

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday 16 June 2009 10:45:00 Jordi Espasa Clofent wrote:
> Hi,
>
> According to
> http://www.openldap.org/lists/openldap-software/200701/msg00149.html,
> the "In general, ppolicy related state values are not replicated; each
> replica is on its own as far as state-related attributes in enforcing
> password policy."
>
> ¿Is it means that of I've one provider and two consumers, the changes
> made in ppolicy statements in provider are not sync againt the consumers
> as other kind entries/attributes are?
>
> I need to know because of  I've change my userPassword in provider and:
>
> * I can use without problems the new password using the provider
> * I cannot use the new password against the two consumers.

userPassword is *not* a "state-related attribute", please see 'man slapo-
ppolicy'.

Note, that what this does mean is that you may be locked out on one slave, but 
not the others (and maybe not the provider), and simple reset-ing the password 
on the master may not be sufficient to unlock the account on the slaves, and the 
pwdAccountFailureTime attributes may not be cleared, meaning one more failed 
authentication may lock the account on a slave (especially in a load-balanced 
environment).

Regards,
Buchan