[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl not working for pwdFailureTime attribute



On 02/03/2010 11:51, Alex Samad wrote:
Hi

I have setup a multi master as per the online doco.

When I was checking recently, the 2 DB were out of sync, some record
hadn't been transferred over, I force this by setting -c rid=,csn=


But whilst checking this, I noticed that some attributes haven't been
moved across pwdFailureTime was on a record on the primary ldap server and
not on the secondary master, try what I could I couldn't force it over

is this a feature or a bug  ?

The password policy overlay writes updates to the local database only, by default.

As of recent-ish versions of OpenLDAP 2.4.*, an option is available to forward these updates via the frontend. The man page describes it:

       ppolicy_forward_updates
              Specify that policy state changes that result from Bind operations (such as recording
              failures, lockout, etc.) on a consumer should be forwarded to  a  master  instead  of
              being  written directly into the consumer’s local database. This setting is only use‐
              ful on a replication consumer, and also requires  the  updateref  setting  and  chain
              overlay to be appropriately configured.

This option was clearly designed for read-only slaves.

I'm not sure what the behaviour would be in a multi-master setup. You could try this anyway. Any ideas from someone else?

Regards,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------