[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication and user password change

To: openldap-technical@openldap.org
Subject: Re: Replication and user password change
From: Jacques Foucry <jacques.foucry@novasparks.com>
Date: Fri, 06 Apr 2012 15:57:03 +0200
In-reply-to: <4F7C6FE1.90609@ayni.com>
References: <4F7C5713.3010205@novasparks.com> <4F7C6FE1.90609@ayni.com>
User-agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120312 Thunderbird/11.0

On 04/04/2012 05:59 PM, anax wrote:

Hello,

> updateref               ldap://ldapmaster.symas.com
> 
> http://www.openldap.org/doc/admin24/replication.html#Replication%20Technology

Well after reading the docs, I made some test on a VM.

My goal is to allow users to change there password.

I have a working replication VM. On this VM I can login with my LDAP
password (PAM on this VM is client of the replica).

When I try to change the password, using the passwd cmd this error occurs:

% passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Referral
passwd: Permission denied
passwd: password unchanged

In the log I found that:

Apr  6 15:44:17 debian slapd[3044]: <<< dnPrettyNormal: <>, <>
Apr  6 15:44:17 debian slapd[3044]: SRCH "" 0 0
Apr  6 15:44:17 debian slapd[3044]:     1 0 0
Apr  6 15:44:17 debian slapd[3044]:     filter:
(?objectClass=passwordPolicy)
Apr  6 15:44:17 debian slapd[3044]:     attrs:
Apr  6 15:44:17 debian slapd[3044]:
Apr  6 15:44:17 debian slapd[3044]: conn=1007 op=7 SRCH base="" scope=0
deref=0 filter="(?objectClass=passwordPolicy)"
Apr  6 15:44:17 debian slapd[3044]: send_ldap_result: conn=1007 op=7 p=3
Apr  6 15:44:17 debian slapd[3044]: send_ldap_result: err=0 matched=""
text=""
Apr  6 15:44:17 debian slapd[3044]: send_ldap_response: msgid=8 tag=101
err=0
Apr  6 15:44:17 debian slapd[3044]: conn=1007 op=7 SEARCH RESULT tag=101
err=0 nentries=0 text=
Apr  6 15:44:22 debian slapd[3044]: connection_get(17)
Apr  6 15:44:22 debian slapd[3044]: connection_get(17): got connid=1007
Apr  6 15:44:22 debian slapd[3044]: connection_read(17): checking for
input on id=1007
Apr  6 15:44:22 debian slapd[3044]: op tag 0x66, time 1333719862
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 do_modify
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 do_modify: dn
(cn=Test Test,ou=People,dc=example,dc=com)
Apr  6 15:44:22 debian slapd[3044]: >>> dnPrettyNormal: <cn=Test
Test,ou=People,dc=example,dc=com>
Apr  6 15:44:22 debian slapd[3044]: <<< dnPrettyNormal: <cn=Test
Test,ou=People,dc=example,dc=com>, <cn=test
test,ou=people,dc=example,dc=com>
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 modifications:
Apr  6 15:44:22 debian slapd[3044]: #011replace: userPassword
Apr  6 15:44:22 debian slapd[3044]: #011#011one value, length 20
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 MOD dn="cn=Test
Test,ou=People,dc=example,dc=com"
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 MOD attr=userPassword
Apr  6 15:44:22 debian slapd[3044]: bdb_dn2entry("cn=test
test,ou=people,dc=example,dc=com")
Apr  6 15:44:22 debian slapd[3044]: send_ldap_result: conn=1007 op=8 p=3
Apr  6 15:44:22 debian slapd[3044]: send_ldap_result: err=10 matched=""
text=""
Apr  6 15:44:22 debian slapd[3044]: send_ldap_result:
referral="ldaps://ldap.example.com/cn=Test%20Test,ou=People,dc=example,dc=com"
Apr  6 15:44:22 debian slapd[3044]: send_ldap_response: msgid=9 tag=103
err=10
Apr  6 15:44:22 debian slapd[3044]: send_ldap_response:
ref="ldaps://ldap.example.com/cn=Test%20Test,ou=People,dc=example,dc=com"
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 RESULT tag=103 err=10
text=
Apr  6 15:44:22 debian slapd[3044]: connection_get(17)
Apr  6 15:44:22 debian slapd[3044]: connection_get(17): got connid=1007
Apr  6 15:44:22 debian slapd[3044]: connection_read(17): checking for
input on id=1007
Apr  6 15:44:22 debian slapd[3044]: op tag 0x42, time 1333719862
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=9 do_unbind
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=9 UNBIND
Apr  6 15:44:22 debian slapd[3044]: connection_close: conn=1007 sd=17
Apr  6 15:44:22 debian slapd[3044]: conn=1007 fd=17 closed
Apr  6 15:44:22 debian slapd[3044]: connection_get(16)
Apr  6 15:44:22 debian slapd[3044]: connection_get(16): got connid=1006
Apr  6 15:44:22 debian slapd[3044]: connection_read(16): checking for
input on id=1006
Apr  6 15:44:22 debian slapd[3044]: ber_get_next on fd 16 failed errno=0
(Success)
Apr  6 15:44:22 debian slapd[3044]: connection_close: conn=1006 sd=16
Apr  6 15:44:22 debian slapd[3044]: conn=1006 fd=16 closed (connection lost)

Why objectClass=passwordPolicy? I can find those kind of objectClass in
my base.

I read that I need some ACL. But where did I have to put them?

I the master I've already some ACL:

access to attrs=userPassword,shadowLastChange
        by self write
        by dn="cn=syncuser,dc=example,dc=com" read
        by anonymous auth
        by * none

access to *
        by self write
        by * read


In the slave I've put:

syncrepl rid=202
        provider=ldaps://ldap.example.com
        type=refreshOnly
        interval=00:01:00:00
        retry="60 10 300 +"
        filter="(objectClass=*)"
        scope=sub
        attrs="*"
        bindmethod=simple
        schemachecking=off
        searchbase="dc=example,dc=com"
        binddn="cn=syncuser,dc=example,dc=com"
        credentials=youdonthavetoknow
        tls_reqcert=never


updateref ldaps://ldap.example.com


Thanks in advance for your help and explanation.

Jacques Foucry

Follow-Ups:
- Re: Replication and user password change
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Replication and user password change
  - From: Jacques Foucry <jacques.foucry@novasparks.com>
- Re: Replication and user password change
  - From: anax <anax@ayni.com>

Prev by Date: Re: RE24 testing call #1 (2.4.31)
Next by Date: Re: Replication and user password change
Index(es):
- Chronological
- Thread