Full_Name: maria saez Version: 2.4.8 OS: debian etch URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.145.230.2) An account locked in a consumer needs two password changes in the provider to be unlocked. The first time that we change the password in the provider the password change is replicated in the consumer but the account remains locked. Can you help us? We have openldap-2.4.7 and openldap-2.4.8 Is this situation normal? We have the following configuration: Provider ------------------------------------------- database bdb suffix "dc=xx,dc=es" rootdn "cn=config" directory /xx/data index entryCSN eq index entryUUID eq index objectClass eq index mail eq # define the replica provider for this database # (last directives in database section) overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,dc=xx,dc=es" ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Consumer ---------------------------------------------------------------- database bdb suffix "dc=xx,dc=es" rootdn "cn=config" directory /xx/data index entryCSN eq index entryUUID eq index objectClass eq index mail eq overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,dc=ua,dc=es" ppolicy_use_lockout syncrepl rid=123 provider=ldaps://xx.xx.es:xx/ binddn="cn=config" bindmethod=simple credentials=xx searchbase="dc=xx,dc=es" schemachecking=on type=refreshAndPersist retry="60 +" overlay syncprov ------------------------------------------------------------------- The policy we have defined: dn: cn=Standard Policy,ou=Policies,dc=xx,dc=es cn: Standard Policy objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 0 pwdInHistory: 6 pwdCheckQuality: 2 pwdExpireWarning: 10 pwdMaxAge: 120 pwdMinLength: 5 pwdGraceAuthnLimit: 3 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdMaxFailure: 3 pwdFailureCountInterval: 120 pwdSafeModify: TRUE pwdMinAge: 120 -------------------------------------------------------------
moved from Incoming to Software Bugs
ssnet@ua.es wrote: > Full_Name: maria saez > Version: 2.4.8 > OS: debian etch > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (193.145.230.2) > > > > An account locked in a consumer needs two password changes in the provider to be > unlocked. I'm unable to reproduce this behavior in current code. > The first time that we change the password in the provider the password change > is replicated in the consumer but the account remains locked. A single password change on the provider results in unlocking on the consumer for me. > > Can you help us? > We have openldap-2.4.7 and openldap-2.4.8 > > Is this situation normal? > > We have the following configuration: > > Provider > ------------------------------------------- > database bdb > suffix "dc=xx,dc=es" > rootdn "cn=config" > directory /xx/data > index entryCSN eq > index entryUUID eq > index objectClass eq > index mail eq > # define the replica provider for this database > # (last directives in database section) > overlay ppolicy > ppolicy_default "cn=Standard Policy,ou=Policies,dc=xx,dc=es" > ppolicy_use_lockout > > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 100 > > > Consumer > ---------------------------------------------------------------- > database bdb > suffix "dc=xx,dc=es" > rootdn "cn=config" > directory /xx/data > index entryCSN eq > index entryUUID eq > index objectClass eq > index mail eq > > overlay ppolicy > ppolicy_default "cn=Standard Policy,ou=Policies,dc=ua,dc=es" > ppolicy_use_lockout > > syncrepl rid=123 > provider=ldaps://xx.xx.es:xx/ > binddn="cn=config" > bindmethod=simple > credentials=xx > searchbase="dc=xx,dc=es" > schemachecking=on > type=refreshAndPersist > retry="60 +" > > overlay syncprov > ------------------------------------------------------------------- > The policy we have defined: > > dn: cn=Standard Policy,ou=Policies,dc=xx,dc=es > cn: Standard Policy > objectClass: top > objectClass: device > objectClass: pwdPolicy > pwdAttribute: 2.5.4.35 > pwdLockout: TRUE > pwdLockoutDuration: 0 > pwdInHistory: 6 > pwdCheckQuality: 2 > pwdExpireWarning: 10 > pwdMaxAge: 120 > pwdMinLength: 5 > pwdGraceAuthnLimit: 3 > pwdAllowUserChange: TRUE > pwdMustChange: TRUE > pwdMaxFailure: 3 > pwdFailureCountInterval: 120 > pwdSafeModify: TRUE > pwdMinAge: 120 > ------------------------------------------------------------- > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed state Open to Feedback
moved from Software Bugs to Incoming
changed state Feedback to Closed