[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy in back_ldap?

> Hey guys,

Hi.  What version?  Also, I's not clear (to me) whether you're configuring
slapo-ppolicy also on the proxy.  If this is the case, I think you're not
doing the right thing.

>        I currently have a multi-master system setup with a back_ldap
> proxying frontend. We are using ppolicy and it is loaded fine and
> works on the two masters but I'm experiencing a little weirdness on
> the proxy side. It works fine but when I implemented password
> expirations the other day I keep seeing messages on the proxy like:
> ppolicy_bind: Setting warning for password expiry for .... = 0 seconds
> These entries should not be receiving any warning messages and I know
> my settings are correct because if I redirect to one of the masters
> the log output is what I expect. Also, if I run a perl script that
> uses password policy controls and look for time_before_expiration, the
> value is always 0 on the proxy while it is not even set if
> pwdExpireWarning is not met or a sane value if it is on the masters.
> After reading slapo-ppolicy it looks like maybe I should be setting
> olcPPolicyForwardUpdates to TRUE (?) and set a olcupdateRef in
> olcDatabase={1}ldap,cn=config to both masters but it spits at me every
> time I try it.

olcUpdateRef only makes sense when the database is shadow - i.e. it also
contains a olcSyncrepl directive.  The indications above make sense when
slapo-ppolicy is on a shadow database; you're trying to use them on a
proxy, which is usually not a shadow.

> It also says a chain overlay should be set as well but
> when I read slapo-chain its says: "It is useless in conjunction with
> the slapd-ldap and slapd-meta backends because they already exploit
> the libldap specific referral chase feature."

This indication makes sense: slapo-chain uses libldap calls, which can be
configured to automatically handle referrals.  However, in general,
slapo-chain can be used instead of the built-in referral chase
capabilities, because it allows finer grain control on what identity is
used/propagated during referral chasing.  But this should be outside the
scope of your issue.

> If I remove ppolicy overlay I don't see any of the values.

Please clarify: what do you mean by "I don't see any of the values"?  I0ve
checked with HEAD code, and I've noticed that indeed ppolicy control
responses don't get propagated from a remote DSA through the proxy.  Is
this what you mean?  I'm filing an ITS about this.  Actually, I think the
reason is related to ITS#6166 (Followup 1); however, we need to fix it now
rather than wait for that fix.

> I need the proxy to be able to see these attributes (as in those
> making queries to it) and not hammer my logs with incorrect messages.
> Is it possible to make this work, am I doing some wrong?

I know I didn't answer your question, but I need a clearer description of
what you're trying to accomplish.  And there seems to be an issue related
to slapd-ldap behavior when control responses are to be returned during a