Dear sir, I found that the account policy can't be replicated in openldap 2.4.8 I setup 2 servers, with Mirror mode. Then, I added the password policy and some user accounts in server 1, I then startup server 2, the user accounts are replicated to server 2. Content of policy.ldif : dn: ou=Policies ou: Policies description: All people in organisation objectClass: organizationalUnit dn: ou=Policies,o=HKSARG ou: Policies description: All people in organisation objectClass: organizationalUnit dn: cn=default,ou=Policies,o=HKSARG objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxFailure: 3 pwdInHistory: 12 pwdMinLength: 6 pwdExpireWarning: 259200 pwdAllowUserChange: TRUE pwdFailureCountInterval: 300 pwdGraceAuthNLimit: 1 pwdLockoutDuration: 300 pwdMustChange: FALSE pwdCheckQuality: 1 pwdMaxAge: 60000000 slapd.conf in server 1 : #overlay syncprov overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" overlay syncprov #access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read #database monitor syncprov-checkpoint 100 10 syncprov-sessionlog 100 # syncrepl directives syncrepl rid=1 provider=ldap://202.245.193.128:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +" syncrepl rid=2 provider=ldap://10.166.23.218:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on serverID 1 slapd.conf in server 2 : # Password policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" overlay syncprov #access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read #database monitor syncprov-checkpoint 100 10 syncprov-sessionlog 100 # syncrepl directives syncrepl rid=1 provider=ldap://202.245.193.128:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +" syncrepl rid=2 provider=ldap://10.166.23.218:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on serverID 2 I input the incorrect password 3 times in server 1 for a user, then, I find that the attribute pwdAccountLockedTime is updated in server 1, but I find that in server 2, this attribute is not replicated. As I result, when I input correct password in server 2, I still get authentication successful, but in server 1, authentication is failed. Thanks
|