On Fri, Oct 10, 2008 at 4:04 PM, Sam Tran <[EMAIL PROTECTED]> wrote: > On Thu, Oct 9, 2008 at 3:53 PM, Sam Tran <[EMAIL PROTECTED]> wrote: >> Dear All, >> > [snip] >> >> 2- Tried N bind attempts to *LDAP consumer* with N = pwdMaxFailure and >> wrong password. N pwdFailureTime attributes and one >> pwdAccountLockedTime attribute were added to the binding DN on >> consumer. As a result it was *not* possible to bind to the consumer >> using the correct password. >> Changing the password on the provider caused the pwdFailureTime >> attributes to be removed on the consumer. But the pwdAccountLockedTime >> attribute was still present in the binding DN on the consumer. As a >> result it was *still not* possible to bind to the consumer using the >> new password. >> Is this the expected behavior? >> I thought that changing the password on the provider would remove both >> the pwdFailureTime and pwdAccountLockedTime attributes on the >> consumer, thus allowing me to bind to the consumer. >> > > Now it is becoming more confusing. I performed the same test #2. After > changing the password once on the provider, only the pwdFailureTime > attributes were deleted on the consumer. If I changed the password a > second time on the provider, the pwdAccountLockedTime attribute on the > consumer gets deleted this time ... > Is it how it is supposed to work? >
Just saw that bug report ITS #5398 regarding OL 2.4.x: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5398;selectid=5398 But it has been unanswered since last February. The same behavior can be observed in OL 2.3.43. -- Sam
