pwdAccountLockedTime and delta-syncrepl

["Sam Tran" <stlist@gmail.com>]

Dear All,

I have an LDAP provider and its consumer running OpenLDAP 2.3.43, the
replication mode being delta-syncrepl.
Password policy is enabled on both servers.

I performed the following tests:

1- Tried N bind attempts to *LDAP provider* with N = pwdMaxFailure and
wrong password. N pwdFailureTime attributes and one
pwdAccountLockedTime attribute were added to the binding DN on
provider. All changes were replicated to the consumer. As a result it
was *not* possible to bind to either the provider or the consumer
using the correct password.
Changing the password on the provider removed the pwdFailureTime and
pwdAccountLockedTime attributes on the provider. Changes were
replicated to the consumer. As a result it was possible to bind to
either the provider or the consumer using the new password.
All works as designed.

2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and
wrong password. N pwdFailureTime attributes and one
pwdAccountLockedTime attribute were added to the binding DN on
consumer. As a result it was *not* possible to bind to the consumer
using the correct password.
Changing the password on the provider caused the pwdFailureTime
attributes to be removed on the consumer. But the pwdAccountLockedTime
attribute was still present in the binding DN on the consumer. As a
result it was *still not* possible to bind to the consumer using the
new password.
Is this the expected behavior?
I thought that changing the password on the provider would remove both
the pwdFailureTime and pwdAccountLockedTime attributes on the
consumer, thus allowing me to bind to the consumer.

Any help on the matter would be very much appreciated.

Thanks.

--
Sam