[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: pwdPolicySubentry & replication user



Hi Clément. Thanks for your response.


I'm running openldap-2.4.23-20 on RHEL 6.2

Operational attributes are transferring over for all users sans the replicator user.

If I add the following LDIF manually to the node that doesn't have the pwdPolicySubentry attribute then it shows up on the second node but is deleted from the original node it appeared on.

dn: cn=replicator,ou=Service,dc=umlott,dc=lott
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott


> Date: Tue, 8 May 2012 15:09:32 +0200
> Subject: Re: pwdPolicySubentry & replication user
> From: clem.oudot@gmail.com
> To: mlstarling31@hotmail.com
> CC: openldap-technical@openldap.org
>
> 2012/5/7 Michael Starling <mlstarling31@hotmail.com>:
> > Consider the following password policy entry to disable password expiration.
> >
> > dn: cn=noexpire,ou=policies,dc=umlott,dc=lott
> > cn: noexpire
> > objectClass: pwdPolicy
> > objectClass: person
> > objectClass: top
> > sn: Password Policy
> > pwdAttribute: UserPassword
> > pwdMaxAge: 0
> > pwdLockout: FALSE
> > description: Non-Expiring password policy for service accounts.
> > ===============================================
> >
> > The following LDIF attaches this policy to the 3 users below:
> >
> > dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott
> > changetype: modify
> > add: pwdPolicySubentry
> > pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
> >
> > dn: cn=bind,ou=Service,dc=umlott,dc=lott
> > changetype: modify
> > add: pwdPolicySubentry
> > pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
> >
> > dn: cn=replicator,ou=Service,dc=umlott,dc=lott
> > changetype: modify
> > add: pwdPolicySubentry
> > pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
> >
> >
> > This all works well and good when setting up my first LDAP server, however
> > when I setup another LDAP server in mirror mode to the first server the
> > pwdPolicySubentry attribute doesn't carry over to the the second node and I
> > start to see this in the slapd logs:
> >
> > ppolicy_bind: Setting warning for password expiry for
> > cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
> >
> >
> > What's interesting is that the other two accounts that have the noexpire
> > policy attached carry over the pwdPolicySubentry attribute just fine to the
> > second node.
> >
> >
> > Any insight would be greatly appreciated.
>
> Could you give us the OpenLDAP version you are running? Then, can you
> check that operational attributes are well synchronized?
>
> Clément.