[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pwd* Attributes and replication
Hi,
here are the configs:
Thanks!
MASTER:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap-2.4.11/etc/openldap/schema/core.schema
include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema
include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema
include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema
include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema
include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema
include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema
include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema
include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema
include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /opt/openldap-2.4.11/var/run/slapd.pid
argsfile /opt/openldap-2.4.11/var/run/slapd.args
allow bind_v2
password-hash {MD5}
database monitor
# TLS configuration
TLSCipherSuite HIGH:MEDIUM:TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt
TLSCertificateFile /etc/openldap/ldap1.crt
TLSCertificateKeyFile /etc/openldap/ldap1.key
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=empresa,dc=com"
rootdn "cn=root,dc=empresa,dc=com"
rootpw {SSHA}password
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /opt/openldap-2.4.11/var/openldap-data
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Database access list
access to attrs=userPassword
by self write
by anonymous auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# Replication
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# Password policies
overlay ppolicy
ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
# Access Logging
overlay accesslog
logdb cn=log
logops bind
logsuccess TRUE
# Access DB
database bdb
suffix "cn=log"
directory /opt/openldap-2.4.11/var/openldap-accesslog
rootdn "cn=log"
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres
# Syncrepl
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
SLAVE:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap-2.4.11/etc/openldap/schema/core.schema
include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema
include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema
include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema
include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema
include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema
include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema
include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema
include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema
include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /opt/openldap-2.4.11/var/run/slapd.pid
argsfile /opt/openldap-2.4.11/var/run/slapd.args
allow bind_v2
password-hash {MD5}
database monitor
# TLS configuration
TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt
TLSCertificateFile /etc/openldap/ldap2.crt
TLSCertificateKeyFile /etc/openldap/ldap2.key
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=empresa,dc=com"
rootdn "cn=root,dc=empresa,dc=com"
rootpw {SSHA}password
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /opt/openldap-2.4.11/var/openldap-data
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Database Access list
access to * attrs=userPassword
by self write
by anonymous auth
access to * attrs=shadowLastChange
by self write
by * read
access to * by * read
# Replication
# Transparently proxy updates to master
overlay chain
chain-uri "ldap://ldap1.empresa.com";
chain-idassert-bind bindmethod="simple"
binddn="cn=root,dc=empresa,dc=com"
credentials="password"
mode="self"
chain-tls start
chain-return-error TRUE
# Replication agent
syncrepl rid=123
provider=ldaps://ldap1.empresa.com
type=refreshOnly
interval=00:00:01:00
searchbase="dc=empresa,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*,+"
schemachecking=on
retry="60 10 300 3"
bindmethod=simple
binddn="cn=root,dc=empresa,dc=com"
credentials=password
# Refer updates to master
updateref ldap://ldap1.empresa.com/
# Password policies
overlay ppolicy
ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
# Access Logging
overlay accesslog
logdb cn=log
logops bind
logsuccess TRUE
# Access DB
database bdb
suffix "cn=log"
directory /opt/openldap-2.4.11/var/openldap-accesslog
rootdn "cn=log"
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres
syncrepl rid=124
provider=ldaps://ldap1.empresa.com
bindmethod=simple
binddn="cn=root,dc=empresa,dc=com"
credentials=password
type=refreshOnly
interval=00:00:01:00
filter="(objectClass=*)"
retry="5 +"
searchbase="cn=log"
logbase="cn=log"
syncdata=accesslog
# type=refreshAndPersist
# schemachecking=on
updateref ldap://ldap1.empresa.com/
----- Original Message ----
From: Gavin Henry <ghenry@OpenLDAP.org>
To: Eyal Marantenboim <eyalmdiveo@yahoo.com>
Cc: openldap-technical@openldap.org
Sent: Monday, September 15, 2008 12:46:15 PM
Subject: Re: pwd* Attributes and replication
Eyal Marantenboim wrote:
> Hi,
>
> We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy.
> When a user tries to bind with incorrect credential, the master server
> gets populated with pwdFailureTime attribute.
> After 4 times of entering wrong credentials, pwdAccountLockedTime is
> added to that user.
>
> Our problem is that the secondary server (using syncrepl) is not
> replicating the pwd* values.
> I've noticed that neither entryCSN nor contextCSN are being updated (on
> the master) when pwdFailureTime is added to the user (I'm not sure if it
> should actually change).
> But, when we change any other attribute (userPassword, etc) on the
> master, that does change entryCSN, and all pwd* attributes do get
> updated in the seconday server.
>
> appreciate your help.
> Thanks!
>
Config?
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry@OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/