Re: syncrepl not working for pwdFailureTime attribute

[Jonathan Clarke <jonathan@phillipoux.net>]

On 02/03/2010 11:51, Alex Samad wrote:
> Hi
>
> I have setup a multi master as per the online doco.
>
> When I was checking recently, the 2 DB were out of sync, some record
> hadn't been transferred over, I force this by setting -c rid=,csn=
>
>
> But whilst checking this, I noticed that some attributes haven't been
> moved across pwdFailureTime was on a record on the primary ldap server and
> not on the secondary master, try what I could I couldn't force it over
>
> is this a feature or a bug  ?

The password policy overlay writes updates to the local database only, 
by default.

As of recent-ish versions of OpenLDAP 2.4.*, an option is available to 
forward these updates via the frontend. The man page describes it:

>        ppolicy_forward_updates
>               Specify that policy state changes that result from Bind operations (such as recording
>               failures, lockout, etc.) on a consumer should be forwarded to  a  master  instead  of
>               being  written directly into the consumer’s local database. This setting is only use‐
>               ful on a replication consumer, and also requires  the  updateref  setting  and  chain
>               overlay to be appropriately configured.

This option was clearly designed for read-only slaves.

I'm not sure what the behaviour would be in a multi-master setup. You 
could try this anyway. Any ideas from someone else?

Regards,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------