[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#3980) ppolicy overlay replication problems
Full_Name: Kevin Spicer
Version: 2.3.6
OS: Gentoo, kernel 2.6.9
URL:
Submission from: (NULL) (213.152.53.60)
I've run into some problems with password updates when using slurpd replication
and the ppolicy overlay. The reports that follow are based on a test system I
set up using gentoo and the latest openldap compiled from the tar.gz (not a
gentoo ebuild), however I've seen similar symptoms on my production system
running solaris 9 (sparc) and openldap 2.2.x
The problem appears to be related to grace logins, I've tested four scenarios as
follows. Its also worth mentioning that whilst I'm aware that the pwdGraceLogin
attribute isn't replicated and that grace logins against replicas aren't
recorded on the master this isn't what I'm reporting here (although its not
ideal I understand the difficulty and can live with that)
1) User performs grace login against master, then on a subsequent login changes
their password
2) User performs grace logins against master repeatedly, exhausting grace
logins. Then an administrator (other user with write permission, not the
rootdn) changes their password
3) User performs grace login against replica, then on a subsequent login changes
their password (on the master of course)
4) User performs grace logins against replica repeatedly, exhausting grace
logins. Then an administrator changes their password (again, on the master of
course)
Of these only scenario 3 works correctly (password change replicated, grace
logins removed on both master and replica)
Scenarios 1 and 2 result in the new password NOT being replicated. although
grace logins on the master are deleted. I suspect this is because slurpd is
attempting to delete 'pwdGraceUseTime' on the replica, causing the modify to
fail as the attribute is not present.
Scenario 4 results in the new password being replicated, but grace logins not
being removed on the replica - meaning the user cannot bind to the replica. I
suspect this is because there is no pwdGraceUseTime attribute on the master so
slurpd does not attempt to delete it. (obviously this works in scenario 1
because the act of binding as the user to change the password constitutes a
grace use which is subsequently deleted, and thus replicated - this is guesswork
though!)
There follows further information for each scenario, dumps of the user from both
the master and the replica (obtained with slapcat), diffs between them, and the
contents of the replogfile in each case.
##################
### SCENARIO 1 ###
##################
User performs grace login against master, then on a subsequent login changes
their password
##### Dump of testuser from master database follows...
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: e0f239c8-ac09-1029-91a7-fbf85d729c3f
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828122034Z
userPassword:: e1NTSEF9eGpXSlpELy82R28xTkIrY25laVBlYUxMUElnVjJLNEg=
entryCSN: 20050828122157Z#000001#00#000000
modifiersName: uid=testuser,ou=People,dc=example,dc=com
modifyTimestamp: 20050828122157Z
pwdChangedTime: 20050828122157Z
pwdHistory: 20050828122157Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
##### Dump of testuser from replica database follows...
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
userPassword:: e01ENX1YMDNNTzFxblpkWWRneWZldUlMUG1RPT0=
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: e0f239c8-ac09-1029-91a7-fbf85d729c3f
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828122034Z
entryCSN: 20050828122034Z#000002#00#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20050828122034Z
pwdChangedTime: 20050828122034Z
##### Diff follows...
--- /tmp/slapmaster.out 2005-08-28 13:25:57.472160576 +0100
+++ /tmp/slapreplica.out 2005-08-28 13:25:57.493157384 +0100
@@ -8,16 +8,14 @@
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
+userPassword:: e01ENX1YMDNNTzFxblpkWWRneWZldUlMUG1RPT0=
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: e0f239c8-ac09-1029-91a7-fbf85d729c3f
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828122034Z
-userPassword:: e1NTSEF9eGpXSlpELy82R28xTkIrY25laVBlYUxMUElnVjJLNEg=
-entryCSN: 20050828122157Z#000001#00#000000
-modifiersName: uid=testuser,ou=People,dc=example,dc=com
-modifyTimestamp: 20050828122157Z
-pwdChangedTime: 20050828122157Z
-pwdHistory:
20050828122157Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
- gyfeuILPmQ==
+entryCSN: 20050828122034Z#000002#00#000000
+modifiersName: cn=Manager,dc=example,dc=com
+modifyTimestamp: 20050828122034Z
+pwdChangedTime: 20050828122034Z
##### replogfile follows
replica: localhost:2001
time: 1125231717
dn: uid=testuser,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9eGpXSlpELy82R28xTkIrY25laVBlYUxMUElnVjJLNEg=
-
replace: entryCSN
entryCSN: 20050828122157Z#000001#00#000000
-
replace: modifiersName
modifiersName: uid=testuser,ou=People,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20050828122157Z
-
replace: pwdChangedTime
pwdChangedTime: 20050828122157Z
-
delete: pwdGraceUseTime
-
add: pwdHistory
pwdHistory:
20050828122157Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
-
##################
### SCENARIO 2 ###
##################
User performs grace logins against master repeatedly, exhausting grace logins.
Then an administrator (other user with write permission, not the rootdn) changes
their password
##### Dump of testuser from master database follows...
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: b9114dca-ac0b-1029-811e-cb9096c81114
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828123346Z
userPassword:: e1NTSEF9bmxkQ2R1N2h5VGY2OWs0T0RmTWhLMEdUcFl1NFkvU0g=
entryCSN: 20050828123651Z#000001#00#000000
modifiersName: uid=testadmin,ou=People,dc=example,dc=com
modifyTimestamp: 20050828123651Z
pwdChangedTime: 20050828123651Z
pwdHistory: 20050828123651Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
##### Dump of testuser from replica database follows...
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
userPassword:: e01ENX1YMDNNTzFxblpkWWRneWZldUlMUG1RPT0=
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: b9114dca-ac0b-1029-811e-cb9096c81114
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828123346Z
entryCSN: 20050828123346Z#000002#00#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20050828123346Z
pwdChangedTime: 20050828123346Z
##### Diff follows...
--- /tmp/slapmaster.out 2005-08-28 13:40:51.522244304 +0100
+++ /tmp/slapreplica.out 2005-08-28 13:40:51.542241264 +0100
@@ -8,16 +8,14 @@
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
+userPassword:: e01ENX1YMDNNTzFxblpkWWRneWZldUlMUG1RPT0=
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: b9114dca-ac0b-1029-811e-cb9096c81114
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828123346Z
-userPassword:: e1NTSEF9bmxkQ2R1N2h5VGY2OWs0T0RmTWhLMEdUcFl1NFkvU0g=
-entryCSN: 20050828123651Z#000001#00#000000
-modifiersName: uid=testadmin,ou=People,dc=example,dc=com
-modifyTimestamp: 20050828123651Z
-pwdChangedTime: 20050828123651Z
-pwdHistory:
20050828123651Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
- gyfeuILPmQ==
+entryCSN: 20050828123346Z#000002#00#000000
+modifiersName: cn=Manager,dc=example,dc=com
+modifyTimestamp: 20050828123346Z
+pwdChangedTime: 20050828123346Z
##### replogfile follows
replica: localhost:2001
time: 1125231155
dn: uid=testuser,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9cWZwZXNWV0l1djB2cHJWbFRmZk5MSk5ZWEpQL1JvY2I=
-
replace: entryCSN
entryCSN: 20050828121235Z#000001#00#000000
-
replace: modifiersName
modifiersName: uid=testadmin,ou=People,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20050828121235Z
-
replace: pwdChangedTime
pwdChangedTime: 20050828121235Z
-
delete: pwdGraceUseTime
-
add: pwdHistory
pwdHistory: 20050828121235Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
-
##################
### SCENARIO 3 ###
##################
User performs grace login against replica, then on a subsequent login changes
their password (on the master of course)
##### Dump of testuser follows (SAME on master and replica, no diff)
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: 0327c4da-ac0b-1029-816c-c86eed8f9f46
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828122841Z
userPassword:: e1NTSEF9VU5ZN0hiNFJyQ3pRak9KREEvaGpxTzE5L1FHOTkxUEk=
entryCSN: 20050828123104Z#000001#00#000000
modifiersName: uid=testuser,ou=People,dc=example,dc=com
modifyTimestamp: 20050828123104Z
pwdChangedTime: 20050828123104Z
pwdHistory: 20050828123104Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
##### replogfile follows
replica: localhost:2001
time: 1125232264
dn: uid=testuser,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9VU5ZN0hiNFJyQ3pRak9KREEvaGpxTzE5L1FHOTkxUEk=
-
replace: entryCSN
entryCSN: 20050828123104Z#000001#00#000000
-
replace: modifiersName
modifiersName: uid=testuser,ou=People,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20050828123104Z
-
replace: pwdChangedTime
pwdChangedTime: 20050828123104Z
-
delete: pwdGraceUseTime
-
add: pwdHistory
pwdHistory: 20050828123104Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
-
##################
### SCENARIO 4 ###
##################
User performs grace logins against replica repeatedly, exhausting grace logins.
Then an administrator changes their password (again, on the master of course)
##### Dump of testuser from master database follows...
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: 1f9809e4-ac07-1029-8f79-8c00a3b3bea4
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828120051Z
userPassword:: e1NTSEF9eWh3emNHRDFySTlqSkhFM05Rb3NFNGgyc3UvK3ZLRmM=
entryCSN: 20050828120326Z#000001#00#000000
modifiersName: uid=testadmin,ou=People,dc=example,dc=com
modifyTimestamp: 20050828120326Z
pwdChangedTime: 20050828120326Z
pwdHistory: 20050828120326Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
##### Dump of testuser from replica database follows...
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/testuser
gecos: Test User
pwdPolicySubentry: cn=testpolicy,ou=policy,dc=example,dc=com
structuralObjectClass: account
entryUUID: 1f9809e4-ac07-1029-8f79-8c00a3b3bea4
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828120051Z
pwdGraceUseTime: 20050828120141Z
pwdGraceUseTime: 20050828120212Z
pwdGraceUseTime: 20050828120214Z
userPassword:: e1NTSEF9eWh3emNHRDFySTlqSkhFM05Rb3NFNGgyc3UvK3ZLRmM=
entryCSN: 20050828120326Z#000001#00#000000
modifiersName: uid=testadmin,ou=People,dc=example,dc=com
modifyTimestamp: 20050828120326Z
pwdChangedTime: 20050828120326Z
pwdHistory: 20050828120326Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
##### Diff follows...
--- /tmp/slapmaster.out 2005-08-28 13:05:26.362317720 +0100
+++ /tmp/slapreplica.out 2005-08-28 13:05:26.388313768 +0100
@@ -13,6 +13,9 @@
entryUUID: 1f9809e4-ac07-1029-8f79-8c00a3b3bea4
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20050828120051Z
+pwdGraceUseTime: 20050828120141Z
+pwdGraceUseTime: 20050828120212Z
+pwdGraceUseTime: 20050828120214Z
userPassword:: e1NTSEF9eWh3emNHRDFySTlqSkhFM05Rb3NFNGgyc3UvK3ZLRmM=
entryCSN: 20050828120326Z#000001#00#000000
modifiersName: uid=testadmin,ou=People,dc=example,dc=com
##### replogfile follows
replica: localhost:2001
time: 1125230606
dn: uid=testuser,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9eWh3emNHRDFySTlqSkhFM05Rb3NFNGgyc3UvK3ZLRmM=
-
replace: entryCSN
entryCSN: 20050828120326Z#000001#00#000000
-
replace: modifiersName
modifiersName: uid=testadmin,ou=People,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20050828120326Z
-
replace: pwdChangedTime
pwdChangedTime: 20050828120326Z
-
add: pwdHistory
pwdHistory: 20050828120326Z#1.3.6.1.4.1.1466.115.121.1.40#29#{MD5}X03MO1qnZdYd
gyfeuILPmQ==
-