[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3980) ppolicy overlay replication problems

Kevin Spicer wrote:
> All four cases now pass my tests.
> Thanks again for your help.
You're welcome. I note that this whole area is an ugly mess.

Since you're using slurpd, a more direct solution would have been simply 
to bind to the replica using the updatedn and reset the offending 
attributes there.
> On Sun, 2005-09-04 at 22:44 +0100, Howard Chu wrote:
>> Ah right. Thanks for the feedback. Case 4 should now be fixed in HEAD.
>> Kevin Spicer wrote:
>>> Thanks for the fix Howard,
>>> Unfortunately it only solves three of the four cases in my original
>>> report.  Case 4 remains unsolved. 
>>> I'm thinking because this is a slightly different case, where
>>> pwdGraceUseTime exists on the replica but not on the master.
>>> The impact of this is that where a user is authenticating against a
>>> replica and locks themselves out due to exhausting grace logins then
>>> even after an administrator resets the password they will still be
>>> unable to bind to the replica.
>>> This was tested against 2.3.7 with ppolicy.c from HEAD
>>> Kevin

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/