[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5398) An account locked in a consumer is only unlocked when the password is changed two times
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5398) An account locked in a consumer is only unlocked when the password is changed two times
- From: hyc@symas.com
- Date: Tue, 3 Feb 2009 04:49:06 GMT
ssnet@ua.es wrote:
> Full_Name: maria saez
> Version: 2.4.8
> OS: debian etch
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (193.145.230.2)
>
>
>
> An account locked in a consumer needs two password changes in the provider to be
> unlocked.
I'm unable to reproduce this behavior in current code.
> The first time that we change the password in the provider the password change
> is replicated in the consumer but the account remains locked.
A single password change on the provider results in unlocking on the consumer
for me.
>
> Can you help us?
> We have openldap-2.4.7 and openldap-2.4.8
>
> Is this situation normal?
>
> We have the following configuration:
>
> Provider
> -------------------------------------------
> database bdb
> suffix "dc=xx,dc=es"
> rootdn "cn=config"
> directory /xx/data
> index entryCSN eq
> index entryUUID eq
> index objectClass eq
> index mail eq
> # define the replica provider for this database
> # (last directives in database section)
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=xx,dc=es"
> ppolicy_use_lockout
>
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
>
> Consumer
> ----------------------------------------------------------------
> database bdb
> suffix "dc=xx,dc=es"
> rootdn "cn=config"
> directory /xx/data
> index entryCSN eq
> index entryUUID eq
> index objectClass eq
> index mail eq
>
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=ua,dc=es"
> ppolicy_use_lockout
>
> syncrepl rid=123
> provider=ldaps://xx.xx.es:xx/
> binddn="cn=config"
> bindmethod=simple
> credentials=xx
> searchbase="dc=xx,dc=es"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
>
> overlay syncprov
> -------------------------------------------------------------------
> The policy we have defined:
>
> dn: cn=Standard Policy,ou=Policies,dc=xx,dc=es
> cn: Standard Policy
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> pwdAttribute: 2.5.4.35
> pwdLockout: TRUE
> pwdLockoutDuration: 0
> pwdInHistory: 6
> pwdCheckQuality: 2
> pwdExpireWarning: 10
> pwdMaxAge: 120
> pwdMinLength: 5
> pwdGraceAuthnLimit: 3
> pwdAllowUserChange: TRUE
> pwdMustChange: TRUE
> pwdMaxFailure: 3
> pwdFailureCountInterval: 120
> pwdSafeModify: TRUE
> pwdMinAge: 120
> -------------------------------------------------------------
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/