2012/5/7 Michael Starling <[email protected]>: > Consider the following password policy entry to disable password expiration. > > dn: cn=noexpire,ou=policies,dc=umlott,dc=lott > cn: noexpire > objectClass: pwdPolicy > objectClass: person > objectClass: top > sn: Password Policy > pwdAttribute: UserPassword > pwdMaxAge: 0 > pwdLockout: FALSE > description: Non-Expiring password policy for service accounts. > =============================================== > > The following LDIF attaches this policy to the 3 users below: > > dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott > changetype: modify > add: pwdPolicySubentry > pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott > > dn: cn=bind,ou=Service,dc=umlott,dc=lott > changetype: modify > add: pwdPolicySubentry > pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott > > dn: cn=replicator,ou=Service,dc=umlott,dc=lott > changetype: modify > add: pwdPolicySubentry > pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott > > > This all works well and good when setting up my first LDAP server, however > when I setup another LDAP server in mirror mode to the first server the > pwdPolicySubentry attribute doesn't carry over to the the second node and I > start to see this in the slapd logs: > > ppolicy_bind: Setting warning for password expiry for > cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds > > > What's interesting is that the other two accounts that have the noexpire > policy attached carry over the pwdPolicySubentry attribute just fine to the > second node. > > > Any insight would be greatly appreciated.
Could you give us the OpenLDAP version you are running? Then, can you check that operational attributes are well synchronized? Clément.
