[Date Prev][Date Next] [Chronological] [Thread] [Top]

No referral send when using PasswdExtModify (rfc3062) to change passwd on slave (ITS#3036)

Full_Name: Wojtek Sczygiol
Version: 2.2.6
OS: Linux/2.6.3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I have my posixAccount info stored on my ldap server (master.xyz) and use
syncrepl on my laptop (slave1.xyz) with "provider=ldaps://master.xyz", which BTW
works great.
On both hosts, pam_ldap & nss_ldap are configured to connect to so I
can always login even when disconnected from master.xyz.

When I try to modify data on the slave I get a referral to "ldaps://master.xyz"
- as expected. 
However, when I use ldappasswd to change a password on the slave, the extended
modify operation succeedes and the password is actually changed in the slave
dit. Some effect with passwd(1) using ldap backend: The password change
succeedes, the following (regular) modify operation on shadowLastChange fails
and gets the referral.

One should expect that _all_ operations that would alter the synchronized dit
fragment in any way should fail on the slave and _always_ return a referral.
(Maybe slapd should even log a warning when encountering ACLs that allow write
access to synchronized dit fragments on the slave.)