[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy in back_ldap?
>>> I've noticed the following in the logs though which confuses me even
>>> more:
>>>
>>> PROXIED attributeDescription "PWDHISTORY" inserted.
>>> PROXIED attributeDescription "PWDPOLICYSUBENTRY" inserted.
>>> PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
>>> PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
>>>
>> This is a clear indication the schema is ***not*** loaded. That's why I
>> asked. The ppolicy schema is loaded by default when slapo-ppolicy is
>> built statically in slapd. Otherwise you need to either load
>> ppolicy.schema, or load the ppolicy.la module. In any case, the schema
>> must be present also on the proxy, even though the proxy does not need
>> to
>> have the overlay instantiated. It would be waaaaaay easier if you
>> posted
>> your remote host & proxy configuration, and detailed how OpenLDAP was
>> built (namely, static or dynamic modules).
>>
>> p.
>>
>>
> I failed to mention the above messages where after I removed ppolicy.
> I'm using third party rpms from Buchan, it is built dynamic modules:
> #####################################################3
> Name : openldap2.4-servers Relocations: (not relocatable)
> Version : 2.4.18 Vendor: TelkomInternet
> Release : 1.rhel5 Build Date: Fri 18 Sep 2009
> 05:43:56 AM EDT
> Install Date: Mon 21 Sep 2009 05:47:01 PM EDT Build Host:
> build.telkomsa.net
> Group : System/Servers Source RPM:
> openldap2.4-2.4.18-1.rhel5.src.rpm
> Size : 4774420 License: Artistic
> Signature : DSA/SHA1, Fri 18 Sep 2009 05:52:27 AM EDT, Key ID
> ac92ba5060d204a7
> Packager : Buchan Milne <bgmilne@staff.telkomsa.net>
> URL : http://www.openldap.org
> Summary : OpenLDAP servers and related files
> Description :
> OpenLDAP Servers
>
> This package contains the OpenLDAP server, slapd (LDAP server), additional
> backends, configuration files, schema definitions required for
> operation, and
> database maintenance tools
>
> This server package was compiled with support for the berkeley
> database library.
> ###########################################################
> Below are my configs (database config was added so I could convert over
> to cn=config which I can assure has not changed since I converted it):
>
> PROXY:
>
> include /usr/share/openldap2.4/schema/core.schema
> include /usr/share/openldap2.4/schema/cosine.schema
> include /usr/share/openldap2.4/schema/corba.schema
> include /usr/share/openldap2.4/schema/inetorgperson.schema
> include /usr/share/openldap2.4/schema/java.schema
> include /usr/share/openldap2.4/schema/krb5-kdc.schema
> include /usr/share/openldap2.4/schema/kerberosobject.schema
> include /usr/share/openldap2.4/schema/nis.schema
> include /usr/share/openldap2.4/schema/openldap.schema
> include /usr/share/openldap2.4/schema/autofs.schema
> include /usr/share/openldap2.4/schema/samba.schema
> include /usr/share/openldap2.4/schema/kolab.schema
> include /usr/share/openldap2.4/schema/evolutionperson.schema
> include /usr/share/openldap2.4/schema/calendar.schema
> include /usr/share/openldap2.4/schema/sudo.schema
> include /usr/share/openldap2.4/schema/dnszone.schema
> include /usr/share/openldap2.4/schema/dhcp.schema
> include /usr/share/openldap2.4/schema/ppolicy.schema
I see. What I note is that some of the schema elements are only defined
by the overlay itself, they are not specified in the schema file. This
makes sense, because they are operational, and slapd does not allow to
specify operational attributes in the configuration. For this purpose,
you need to
moduleload ppolicy.la
in your proxy configuration, *without* configuring the ppolicy overlay on
the proxy database. This should make all attributes related to ppolicy
known to the proxy. Does this solve all your issue, or is there anything
left? I mean, apart from the fix to ITS#6530, that allows to proxy
control responses on successful binds.
p.