| Ok, I did find part of my error. It was not explicitly named in the syncrepl statement. I added pwdChangedTime and pwdHistory to the syncrepl attrs line and it does sync them now -- but only if they already exist. The account does not have a pwdChangedTime, and you change the password on servera, serverb does not get the attribute populated. I will have to monitor the logs to see. Thanks for making me think different about the problem. --line changed -- attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry,pwdChangedTime,pwdHistory" On Jun 26, 2008, at 9:07 AM, Gavin Henry wrote: Chris G. Sellers wrote: I have n-way multimaster replication setup. Works great. I have slapo_ppolicy setup, it too works. the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server. So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted The same goes if I use server2 and look at server1. At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact. Any ideas? I know I must have something missing but I'm just not seeing it. --- password-hash {SSHA} ########################################################################### database bdb suffix "dc=nitle,dc=org" rootdn "cn=MASTERUSER,dc=nitle,dc=org" rootpw {SSHA}WAYTOOSECRETFORYOU directory /home/ldap/openldap/var/openldap-data serverID 1 limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog overlay syncprov mirrormode true ## INDICES TO MAINTAIN index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq ## PASSWORD POLICY OVERLAY ## overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org" ppolicy_hash_cleartext # ppolicy_use_lockout ++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org <mailto:chris.sellers@nitle.org> Jabber: csellers@nitle.org <mailto:csellers@nitle.org> | AIM: imthewherd Where are your ACLs? -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry@OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/ ++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd |