ppolicy and syncrepl

[Francesco Malvezzi <francesco.malvezzi@unimore.it>]

Hallo all,

I am losing something important about ppolicy and (syncrepl) replication.

master openldap has a mdb database with the following overlays:
# {0}ppolicy, {1}mdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=pre_default,ou=policies,dc=example,dc=org

# {1}syncprov, {1}mdb, config
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 20 10
olcSpSessionlog: 500

ppolicy works fine on master:

ldapwhoami -x -ZZ -h master.example.org -D
uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy
ldap_bind: Invalid credentials (49); Password expired

entry is:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL 'uid=malvezzi' +
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

# malvezzi, people, example.org
dn: uid=malvezzi,ou=people,dc=example,dc=org
structuralObjectClass: inetOrgPerson
entryUUID: 982dbc48-f125-1032-8ef6-db4e8deee77a
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20131204114727Z
pwdHistory:
20140428131956Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YC2cJflzdWc
 tkxDL2xBR+TDj/oRWzGAh
pwdHistory:
20140428132623Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}vHW/cNKDwZT
 kM0pMFJ/venY9OhYR+T2c
pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org
pwdChangedTime: 20140311071845Z
entryCSN: 20140428135251.204124Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140428135251Z
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

On the replica slave ppolicy look inactive:
ldapwhoami -x -H ldapi:/// -D uid=malvezzi,ou=people,dc=example,dc=org
-w secret -e ppolicy
dn:uid=malvezzi,ou=people,dc=example,dc=org

entry on slave looks correct:
ldapsearch -x -h slave.example.org -ZZ -D
uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy
'uid=malvezzi' +

dn: uid=malvezzi,ou=people,dc=example,dc=org
structuralObjectClass: inetOrgPerson
entryUUID: 982dbc48-f125-1032-8ef6-db4e8deee77a
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20131204114727Z
pwdHistory:
20140428131956Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YC2cJflzdWc
 tkxDL2xBR+TDj/oRWzGAh
pwdHistory:
20140428132623Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}vHW/cNKDwZT
 kM0pMFJ/venY9OhYR+T2c
pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org
pwdChangedTime: 20140311071845Z
entryCSN: 20140428135251.204124Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140428135251Z
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

(on slave):
ldapsearch -H ldapi:/// -Y EXTERNAL cn=default30g

dn: cn=default30g,ou=policies,dc=example,dc=org
cn: default30g
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 60000
pwdFailureCountInterval: 30
pwdInHistory: 2
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 2592000
pwdMaxFailure: 0
pwdMinAge: 0
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: scadenza password ogni 30 giorni
pwdGraceAuthNLimit: 0
pwdMinLength: 8
objectClass: person
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdCheckQuality: 1
pwdCheckModule: check_password.so

ppolicy overlay is enabled on the replica database.

Should I enable ppolicy overlay on glue database as well?

If I type wrong password, master adds a pwdFailureTime line; slave does not.

What am I missing?

Thank you all,

Francesco