My Oracle Support Banner

ODSEE 11g (11.1.1.7.x) PwdPolicySubentry Does Not Replicate Via Fractional Replication Agreement (Doc ID 2305662.1)

Last updated on NOVEMBER 29, 2022

Applies to:

Oracle Directory Server Enterprise Edition - Version 11.1.1.7.0 and later
Information in this document applies to any platform.

Symptoms

ODSEE 11.1.1.7.x Primary Server with a fractional replication agreement to consumer.

The replication agreement is set to include specific attributes (repl-fractional-include-attr). "pwdPolicySubentry" is one of the attributes which is replicated via the fractional replication.   For some reason, it never replicates.

The replication agreement is fine, and all other attributes replicate, but "pwdPolicySubentry" does not.

Changes

List agreements:

$ dsconf list-repl-agmts -h hostname1.DN.COM -P 636 -D "cn=DS_ADMIN" dc=SUFFIX_DN
Enter "cn=DS_ADMIN" password:
hostname1.DN.COM:636
hostname2.DN.COM:636

Agreement properties for fractional replication look right:

$ dsconf get-repl-agmt-prop -h hostname1.DN.COM -P 636 -D "cn=DS_ADMIN" dc=SUFFIX_DN hostname1.DN.COM:636 repl-fractional-include-attr
Enter "cn=DS_ADMIN" password:
repl-fractional-include-attr : cn
repl-fractional-include-attr : cosAttribute
repl-fractional-include-attr : cosSpecifier
repl-fractional-include-attr : cosTemplateDN
repl-fractional-include-attr : displayName
repl-fractional-include-attr : givenName
repl-fractional-include-attr : mail
repl-fractional-include-attr : nsAccountLock
repl-fractional-include-attr : nsIdleTimeout
repl-fractional-include-attr : nsLookThroughLimit
repl-fractional-include-attr : nsSizeLimit
repl-fractional-include-attr : nsTimeLimit
repl-fractional-include-attr : objectClass
repl-fractional-include-attr : pwdAttribute
repl-fractional-include-attr : pwdKeepLastAuthTime
repl-fractional-include-attr : pwdPolicySubentry
repl-fractional-include-attr : sn
repl-fractional-include-attr : telephoneNumber
repl-fractional-include-attr : uid
repl-fractional-include-attr : userPassword
repl-fractional-include-attr : loginShell

Agreement status shows good:

$ dsconf show-repl-agmt-status -h hostname1.example.com -P 636 -D "cn=DS_ADMIN" dc=SUFFIX_DN hostname1.DN.COM:636
Enter "cn=DS_ADMIN" password:
Configuration Status : Ok
Authentication Status : Ok
Initialization Status : Ok

Status : Enabled
Last Update Date : Jul 22, 2016 9:02:15 PM

 

But if we search an end user which should contain the "pwdPolicySubentry", we see that it does not on the consumer:

Primary Server:

$ ldapsearch -b "uid=testUser,dc=SUFFIX_DN" -h hostname1.example.com u -p 636 -Z -P /LDAP/certdb -D "cn=DS_ADMIN" -w - -s base "(objectClass=*)" pwdPolicySubentry
Enter bind password:
version: 1
dn: uid=testUser,dc=SUFFIX_DN
pwdPolicySubentry: cn=Password Policy,uid=testUser,dc=SUFFIX_DN

Consumer:

$ ldapsearch -b "uid=testUser,dc=SUFFIX_DN" -h hostname2.DN.COM -p 636 -Z -P /LDAP/certdb -D "cn=DS_ADMIN" -w - -s base "(objectClass=*)" pwdPolicySubentry
Enter bind password:
version: 1
dn: uid=testUser,dc=SUFFIX_DN

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.