[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL's for slave servers

Summary:  Slave servers can't seem to update the shadowLastChange
attribute and I'm not sure how to allow them to do so.  I'm running Redhat
Enterprise Linux 2.1 AS and openldap 2.0.27-2.7.3.

On my primary LDAP server, I have the following ACL's in place:

access to attribute=shadowLastChange
        by dn="cn=admin,dc=sboss,dc=com"
        by self write
        by * read

access to attrs=userPassword
     by dn="cn=admin,dc=sboss,dc=com"
     by self write
     by * auth

access to *
     by * read

I have replication setup and it works ...

replica host=ldappriv02.sboss.com:389

... and I have the slave servers setup to update the master servers.

updatedn        "cn=admin,dc=sboss,dc=com"
updateref       ldap://ldappriv01.sboss.com:389

When I create a new account, I set the shadowLastChange to be 0 so that
users have to change their password on first login. If they login to the
server that is the LDAP master, they have no problems.  If they login to
any of the slaves, they're prompted to change their passwords and
everything appears to work fine.  If they logout and then login again on
the slave, they're prompted to change their passwords again but this
doesn't happen if they login initially to the ldap server, leading me to
believe that the slaves do not have the ability to update the
shadowLastChange attribute.  I know this must be something simple, so how
should I fix this?

Thank you,