Re: chain and ppolicy question

[Tony Earnshaw <tonni@hetnet.nl>]

Gavin Henry skrev, on 06-12-2007 23:13:

> > My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I
> > have a problem with chaining referrals from the 3 slaves to the master.
> > I followed the slapo-chain man page and chaining works:
> >
> > moduleload      back_ldap.la
> >
> > overlay chain
> >
> > chain-uri               "ldaps://mercurius.intern"
> > chain-idassert-bind     bindmethod="simple"
> >                         binddn="cn=proxy,dc=barlaeus,dc=nl"
> >                         credentials="secret"
> > chain-return-error      true
> >
> > cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on
> > the master.
> >
> > The rootdn is not able to update passwords. I have no idea why the 
> > rootdn shouldn't be able to update passwords (PASSMOD). However, it 
> > seems to me that the chaining from the slave should be carried out as 
> > the actual user and not rootdn. I can find nothing in slapo-chain or 
> > slapd-ldap that lists this possibility.
> >
> > Can anyone here help with this?
>
> What are you logs/-d saying?

It's been a while since and up to now I've only had logs going back 5 
days (I've increased this to 21 days now, but that doesn't help here).

Basically, the rootdn bound, issued a PASSMOD instruction for 
userPassword and got a reply tag=103 error=0; it then did a MOD 
instruction for shadowLastChange and got the same. userPassword wasn't 
changed, but shadowLastChange was.

By having the slave server connect directly to the provider instead of 
using the consumer's chain function, all happens as expected, so that's 
the workaround at the present- but it's far from optimal.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl