From aefa5f22520d565f5accfc2257f48ff31be9b17b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 May 2022 11:53:47 -0400
Subject: [PATCH] Exclude passwordgraceusertime from replication

Treat this like other failed login attributes and don't
replicate them.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/install/replication.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 71b327a64..50368622b 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -64,9 +64,10 @@ WINSYNC = 2
 
 # List of attributes that need to be excluded from replication initialization.
 TOTAL_EXCLUDES = ('entryusn',
-                 'krblastsuccessfulauth',
-                 'krblastfailedauth',
-                 'krbloginfailedcount')
+                  'krblastsuccessfulauth',
+                  'krblastfailedauth',
+                  'krbloginfailedcount',
+                  'passwordgraceusertime',)
 
 # List of attributes that need to be excluded from normal replication.
 EXCLUDES = ('memberof', 'idnssoaserial') + TOTAL_EXCLUDES