Re: pwdAccountLockedTime and delta-syncrepl

["Sam Tran" <stlist@gmail.com>]

On Fri, Oct 10, 2008 at 4:04 PM, Sam Tran <stlist@gmail.com> wrote:
> On Thu, Oct 9, 2008 at 3:53 PM, Sam Tran <stlist@gmail.com> wrote:
>> Dear All,
>>
> [snip]
>>
>> 2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and
>> wrong password. N pwdFailureTime attributes and one
>> pwdAccountLockedTime attribute were added to the binding DN on
>> consumer. As a result it was *not* possible to bind to the consumer
>> using the correct password.
>> Changing the password on the provider caused the pwdFailureTime
>> attributes to be removed on the consumer. But the pwdAccountLockedTime
>> attribute was still present in the binding DN on the consumer. As a
>> result it was *still not* possible to bind to the consumer using the
>> new password.
>> Is this the expected behavior?
>> I thought that changing the password on the provider would remove both
>> the pwdFailureTime and pwdAccountLockedTime attributes on the
>> consumer, thus allowing me to bind to the consumer.
>>
>
> Now it is becoming more confusing. I performed the same test #2. After
> changing the password once on the provider, only the pwdFailureTime
> attributes were deleted on the consumer. If I changed the password a
> second time on the provider, the pwdAccountLockedTime attribute on the
> consumer gets deleted this time ...
> Is it how it is supposed to work?
>

Just saw that bug report ITS #5398 regarding OL 2.4.x:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5398;selectid=5398
But it has been unanswered since last February.

The same behavior can be observed in OL 2.3.43.

--
Sam