[Date Prev][Date Next]
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
- From: firstname.lastname@example.org
- Date: Mon, 16 Dec 2013 21:10:54 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Mon, 16 Dec 2013, email@example.com wrote:
> Full_Name: Cl?ment OUDOT
> Version: 2.4.38
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (18.104.22.168)
> I have a simple setup with a master (overlay syncprov + overlay ppolicy) and a
> slave (syncrepl client, overlay ppolicy).
> 1. I lock my account in the slave
> 2. I change the description attribute of my account a first time in the master
> 3. My account is still locked in the slave
> 4. I change the description attribute of my account a second time in the master
> 5. My account is no more locked in the slave: the password policy operational
> attributes pwdFailureTime and pwdAccountUnlockTime were erased by the one of the
> Seems like a control is done the first time that syncrepl update the entry (the
> first time, pwdAccountLockTime and pwdFailureTime are not erased), but the
> second time the control is not done.
I have had a very similar setup for some time now and have never observed this kind of behaviour from the ppolicy overlay. I am quite confident it should work correctly in the situation you describe.
There might be a valid reason for pwdAccountLockedtime and pwdFailureTime attributes disappearing like perhaps expiry of pwdLockoutDuration. Please see the account_locked() function in servers/slapd/overlay/ppolicy.c for this.
It is of course also quite possible that you have hit a special corner case that nobody else has yet found.
The best thing you could do would be to setup a small self contained test case to illustrate the problem.
Christian Kratzer CK Software GmbH
Email: firstname.lastname@example.org Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer