Issue 6031 - An account locked on consumer is unlocked only when password is changed twice in a row on provider
Summary: An account locked on consumer is unlocked only when password is changed twice...
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: historical (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-24 20:46 UTC by stlist@gmail.com
Modified: 2019-11-20 18:03 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description stlist@gmail.com 2009-03-24 20:46:53 UTC
Full_Name: Samuel Tran
Version: 2.3.43
OS: CentOS 5.x
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (216.73.248.203)


If I lock an account on a consumer 'pwdMaxFailure' consecutive failed bind
attempts, two password changes on the provider is required to unlock the account
on the consumer.
The first password change updates 'userPassword', 'pwdChangedTime' and removes
'pwdFailureTime'. The second updates 'userPassword', 'pwdChangedTime' and
removes 'pwdAccountLockedTime'.

The replication mode is delta-syncrepl.

Here is the configuration file on the provider:

#-------------------------------------------------
# Accesslog DB definition (slapo-accesslog)
#-------------------------------------------------

database        hdb
suffix          "cn=accesslog"
rootdn          "cn=root,cn=accesslog"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
directory       /var/lib/ldap/accesslog
index           default eq
index           entryUUID,entryCSN,objectClass,reqEnd,reqResult,reqStart

limits dn.exact="cn=syncrepl,ou=Accounts,ou=Apps,dc=example,dc=com"
time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

#-------------------------------------------------
# Primary example.com database definition
#-------------------------------------------------

database        hdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx

directory       /var/lib/ldap/example.com

[snip]

index   objectClass,uidNumber,gidNumber,memberUid,employeeNumber eq,pres
index   employeeType,accountActive,ftpActive,mailActive,vacationActive,ou,mailRoutingAddress
eq
index   cn,mail,surname,givenname eq,pres,subinitial
index   displayName,gecos,telephoneNumber sub,subany
index   uid,aliasUid eq,sub,subany
index   entryUUID,entryCSN eq

limits dn.exact="cn=syncrepl,ou=Accounts,ou=Apps,dc=example,dc=com"
time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100

overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 28+00:00 01+00:00

overlay ppolicy
ppolicy_use_lockout


Here is the configuration file on the consumer:

#-------------------------------------------------
# Primary example.com database definition
#-------------------------------------------------

database        hdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

directory       /var/lib/ldap/example.com

[snip]

index   objectClass,uidNumber,gidNumber,memberUid,employeeNumber eq,pres
index   employeeType,accountActive,ftpActive,mailActive,vacationActive,ou,mailRoutingAddress,mailAlternateAddress,mailAliasActive,allowedService
eq
index   cn,mail,surname,givenname eq,pres,subinitial
index   displayName,gecos,telephoneNumber sub,subany
index   uid,aliasUid eq,sub,subany
index   entryUUID eq

#############################################################
# Syncrepl - Consumer configuration
#############################################################
syncrepl        rid=002
                provider=ldaps://info-ldap-001.example.com:636
                bindmethod=simple
                binddn="cn=syncrepl,ou=Accounts,ou=Apps,dc=example,dc=com"
                credentials=xxxxxxxx
                type=refreshAndPersist
                retry="5 +"
                searchbase="dc=example,dc=com"
                logbase="cn=accesslog"
                logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
                schemachecking=on
                syncdata=accesslog

overlay ppolicy
ppolicy_use_lockout

The problem is similar to the one reported in ITS #5398 for OL 2.4.8.
I saw Howard's reply stating that he was not able to reproduce the problem in
the current OL 2.4.x code. I was wondering if someone was able to reproduce the
problem using OL 2.3.43.

Thanks.
Comment 1 Howard Chu 2009-04-10 19:33:40 UTC
changed notes
changed state Open to Suspended
Comment 2 Howard Chu 2009-06-23 00:27:08 UTC
moved from Incoming to Historical
Comment 3 OpenLDAP project 2014-08-01 21:05:04 UTC
2.3
Comment 4 Quanah Gibson-Mount 2019-11-20 18:03:49 UTC
changed state Suspended to Closed