Looks like there is a bug.  The problem is two fold:
1) The supplier ignores the isglobalpolicy setting - it attempts to send the
attributes
which would be ok except for
2) The consumer rejects mod operations that contain no valid modifications with
err=53.  The consumer does honor the isglobalpolicy setting, removes the invalid
mods from the mod list, finds there are no mods left, and returns with err=53. 
The supplier does not recover from this error due to a bug in the async result
handling code.

Created attachment 310042 [details]
diffs

This is for the actual bug - replication should not break.  This fixes a bug in
the replication error handling code so that replication will continue after
getting the err=53 from the consumer.

The other part of this fix is to simply not replicate those attributes.  I
believe this can be done by using fractional replication and adding the
attributes passwordRetryCount retryCountResetTime accountUnlockTime to the list
of attributes to not replicate.  This will only work with the redhat-ds-base
8.0.0-13 or later - i.e. if you have installed redhat-ds-base but not upgraded
to the latest one available in RHN, you need to do so, or fractional
replication between masters will not work.

Correction - the fractional MMR fix is in 8.0.0-14 or later, not -13.

Created attachment 310060 [details]
cvs commit log

Reviewed by: nhosoi (Thanks!)
Fix Description: We were not handling errors returned from the consumer
correctly in the async replication code.  The problem was that we were exiting
the async read results thread immediately.  However, we needed to wait for and
read all of the outstanding responses, then exit the thread when all of them
had been read.	The new code handles this case correctly, allowing us to read
all of the pending responses before exiting.

The flip side of this is that passwordIsGlobalPolicy only works on the
_consumer_.  It has no effect whatsoever on the _supplier_ side of replication.
 The fix for this is to configure fractional replication _always_ and to add
the password policy op attrs to the list of attrs not to replicate.  This
should work fine with RHDS 8.0.0-14 and later.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes.  We will need to document exactly how passwordIsGlobalPolicy
works and how to configure fractional replication.
QA impact: Will need to do more testing of MMR with account lockout to make
sure this error does not blow up MMR anymore.
New Tests integrated into TET: Working on it.

*** Bug 442560 has been marked as a duplicate of this bug. ***

For information about how to exclude attributes from replication, see 

http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html#Configuring-Replication-ReplAgmt-cmd

and 

http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-Core_Server_Configuration_Attributes_Reference-Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig


2.3.8.20. nsDS5ReplicatedAttributeList

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0602.html