[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5398) An account locked in a consumer is only unlocked when the password is changed two times

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5398) An account locked in a consumer is only unlocked when the password is changed two times
From: hyc@symas.com
Date: Tue, 3 Feb 2009 04:49:06 GMT

ssnet@ua.es wrote:
> Full_Name: maria saez
> Version: 2.4.8
> OS: debian etch
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (193.145.230.2)
>
>
>
> An account locked in a consumer needs two password changes in the provider to be
> unlocked.

I'm unable to reproduce this behavior in current code.

> The first time that we change the password in the provider the password change
> is replicated in the consumer but the account remains locked.

A single password change on the provider results in unlocking on the consumer 
for me.
>
> Can you help us?
> We have openldap-2.4.7 and openldap-2.4.8
>
> Is this situation normal?
>
> We have the following configuration:
>
> Provider
> -------------------------------------------
> database        bdb
> suffix          "dc=xx,dc=es"
> rootdn          "cn=config"
> directory       /xx/data
> index entryCSN eq
> index entryUUID eq
> index           objectClass     eq
> index           mail    eq
> # define the replica provider for this database
> # (last directives in database section)
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=xx,dc=es"
> ppolicy_use_lockout
>
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
>
> Consumer
> ----------------------------------------------------------------
> database        bdb
> suffix          "dc=xx,dc=es"
> rootdn          "cn=config"
> directory       /xx/data
> index entryCSN eq
> index entryUUID eq
> index           objectClass     eq
> index           mail    eq
>
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=ua,dc=es"
> ppolicy_use_lockout
>
> syncrepl        rid=123
>                  provider=ldaps://xx.xx.es:xx/
>                  binddn="cn=config"
>                  bindmethod=simple
>                  credentials=xx
>                  searchbase="dc=xx,dc=es"
>                  schemachecking=on
>                  type=refreshAndPersist
>                  retry="60 +"
>
> overlay syncprov
> -------------------------------------------------------------------
> The policy we have defined:
>
> dn: cn=Standard Policy,ou=Policies,dc=xx,dc=es
> cn: Standard Policy
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> pwdAttribute: 2.5.4.35
> pwdLockout: TRUE
> pwdLockoutDuration: 0
> pwdInHistory: 6
> pwdCheckQuality: 2
> pwdExpireWarning: 10
> pwdMaxAge: 120
> pwdMinLength: 5
> pwdGraceAuthnLimit: 3
> pwdAllowUserChange: TRUE
> pwdMustChange: TRUE
> pwdMaxFailure: 3
> pwdFailureCountInterval: 120
> pwdSafeModify: TRUE
> pwdMinAge: 120
> -------------------------------------------------------------
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#5917) slapd crashes with assertion failed and SIGABRT
Next by Date: RE: (ITS#5912) Meta modify increment feature
Index(es):
- Chronological
- Thread