[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdPolicySubentry & replication user



2012/5/7 Michael Starling <mlstarling31@hotmail.com>:
> Consider the following password policy entry to disable password expiration.
>
> dn: cn=noexpire,ou=policies,dc=umlott,dc=lott
> cn: noexpire
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> sn: Password Policy
> pwdAttribute: UserPassword
> pwdMaxAge: 0
> pwdLockout: FALSE
> description: Non-Expiring password policy for service accounts.
> ===============================================
>
> The following LDIF attaches this policy to the 3 users below:
>
> dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
>
> dn: cn=bind,ou=Service,dc=umlott,dc=lott
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
>
> dn: cn=replicator,ou=Service,dc=umlott,dc=lott
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
>
>
> This all works well and good when setting up my first LDAP server, however
> when I setup another LDAP server in mirror mode to the first server the
> pwdPolicySubentry attribute doesn't carry over to the the second node and I
> start to see this in the slapd logs:
>
> ppolicy_bind: Setting warning for password expiry for
> cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
>
>
> What's interesting is that the other two accounts that have the noexpire
> policy attached carry over the pwdPolicySubentry attribute just fine to the
> second node.
>
>
> Any insight would be greatly appreciated.

Could you give us the OpenLDAP version you are running? Then, can you
check that operational attributes are well synchronized?

Clément.