I'm trying to setup OpenLDAP on CentOS7, in a provider/consumer relationship. In general, provider/consumer is working quite well, except when it comes to password policy. Specifically, I want PwdFailureTime to be written to the provider from one of the front end consumers when appropriate. I'm lead to believe this requires: a) ppolicy_foward_updates TRUE (done) b) an appropriate syncrepl configuration for the consumer (I believe done) c) updateref $LDAP-provider-URI (done) d) an appropriate chain overlay on the provider (I think done) e) appropriate ACLs on the provider to allow the consumer bind-user access to manage PwdFailureTime (I believe done) I've attempted all of the above, but the consumer (when run in debugging mode), does not seem to be trying any updates upon authentication failure. It gives no indication of modifying locally, or of trying to contact the provider at all over this. Any idea whats going wrong?