ODSEE 11g (11.1.1.7.x) PwdPolicySubentry Does Not Replicate Via Fractional Replication Agreement

(Doc ID 2305662.1)

Last updated on DECEMBER 11, 2017

Applies to:

Oracle Directory Server Enterprise Edition - Version 11.1.1.7.0 and later
Information in this document applies to any platform.

Symptoms

ODSEE 11.1.1.7.x master with a fractional replication agreement to consumer.

The replication agreement is set to include specific attributes (repl-fractional-include-attr). "pwdPolicySubentry" is one of the attributes which is replicated via the fractional replication.   For some reason, it never replicates.

The replication agreement is fine, and all other attributes replicate, but "pwdPolicySubentry" does not.

Changes

List agreements:

$ dsconf list-repl-agmts -h eds-eldap-t1.vuit.vanderbilt.edu -P 636 -D "cn=Directory Manager" dc=example,dc=com
Enter "cn=Directory Manager" password:
hostname1.domain.com:636
hostname2.domain.com:636

Agreement properties for fractional replication look right:

$ dsconf get-repl-agmt-prop -h hostname1.domain.com -P 636 -D "cn=Directory Manager" dc=example,dc=com hostname1.domain.com:636 repl-fractional-include-attr
Enter "cn=Directory Manager" password:
repl-fractional-include-attr : cn
repl-fractional-include-attr : cosAttribute
repl-fractional-include-attr : cosSpecifier
repl-fractional-include-attr : cosTemplateDN
repl-fractional-include-attr : displayName
repl-fractional-include-attr : givenName
repl-fractional-include-attr : mail
repl-fractional-include-attr : nsAccountLock
repl-fractional-include-attr : nsIdleTimeout
repl-fractional-include-attr : nsLookThroughLimit
repl-fractional-include-attr : nsSizeLimit
repl-fractional-include-attr : nsTimeLimit
repl-fractional-include-attr : objectClass
repl-fractional-include-attr : pwdAttribute
repl-fractional-include-attr : pwdKeepLastAuthTime
repl-fractional-include-attr : pwdPolicySubentry
repl-fractional-include-attr : sn
repl-fractional-include-attr : telephoneNumber
repl-fractional-include-attr : uid
repl-fractional-include-attr : userPassword
repl-fractional-include-attr : loginShell

Agreement status shows good:

$ dsconf show-repl-agmt-status -h hostname1.example.com -P 636 -D "cn=Directory Manager" dc=example,dc=com hostname1.domain.com:636
Enter "cn=Directory Manager" password:
Configuration Status : Ok
Authentication Status : Ok
Initialization Status : Ok

Status : Enabled
Last Update Date : Jul 22, 2016 9:02:15 PM

 

But if we search an end user which should contain the "pwdPolicySubentry", we see that it does not on the consumer:

Master:

$ ldapsearch -b "uid=testUser,dc=example,dc=com" -h hostname1.example.com u -p 636 -Z -P /LDAP/certdb -D "cn=Directory Manager" -w - -s base "(objectClass=*)" pwdPolicySubentry
Enter bind password:
version: 1
dn: uid=testUser,dc=example,dc=com
pwdPolicySubentry: cn=Password Policy,uid=testUser,dc=example,dc=com

Consumer:

$ ldapsearch -b "uid=testUser,dc=example,dc=com" -h hostname2.domain.com -p 636 -Z -P /LDAP/certdb -D "cn=Directory Manager" -w - -s base "(objectClass=*)" pwdPolicySubentry
Enter bind password:
version: 1
dn: uid=testUser,dc=example,dc=com

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms