Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)

[ck@cksoft.de]

Hi,

On Mon, 16 Dec 2013, coudot@linagora.com wrote:
> Full_Name: Cl?ment OUDOT
> Version: 2.4.38
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (88.173.78.196)
>
>
> I have a simple setup with a master (overlay syncprov + overlay ppolicy) and a
> slave (syncrepl client, overlay ppolicy).
>
> 1. I lock my account in the slave
> 2. I change the description attribute of my account a first time in the master
> 3. My account is still locked in the slave
> 4. I change the description attribute of my account a second time in the master
> 5. My account is no more locked in the slave: the password policy operational
> attributes pwdFailureTime and pwdAccountUnlockTime were erased by the one of the
> master
>
> Seems like a control is done the first time that syncrepl update the entry (the
> first time, pwdAccountLockTime and pwdFailureTime are not erased), but the
> second time the control is not done.

I have had a very similar setup for some time now and have never observed this kind of behaviour from the ppolicy overlay. I am quite confident it should work correctly in the situation you describe.

There might be a valid reason for pwdAccountLockedtime and pwdFailureTime attributes disappearing like perhaps expiry of pwdLockoutDuration. Please see the account_locked() function in servers/slapd/overlay/ppolicy.c for this.

It is of course also quite possible that you have hit a special corner case that nobody else has yet found.

The best thing you could do would be to setup a small self contained test case to illustrate the problem.

Greetings
Christian

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer