[Date Prev][Date Next] [Chronological] [Thread] [Top]

Issues with Ppolicy Overlay and chaining (master/slave)

Hello!

I've been experiencing some issues with ppolicy overlay and chaining. I've implemented a simple openldap master and consumer architecture.This implementation works fine. I have data from the master, replicated into the slave, and all writes sent to the slave (add/edit ous and users), are forwarded to the master.

I've now added to this architecture ppolicy overlay (with olcPPolicyForwardUpdates set to TRUE). When the slave receives a logon failure, it should forward this to the master, so ppolicy overlay can set  pwdFailuretime and pwdAccountLockedTime.

This is not happening. Neither master nor slave,  are setting pwdFailuretime or pwdAccountLockedTime.


When debugging the slave, I get the following messages:

541875a7 conn=1010 op=0 BIND dn="cn=Lisa Hayes,ou=Quality,dc=example,dc=com" method=128
541875a7 conn=1010 op=0 ldap_back_retry: retrying URI="ldap://ldapmaster.com" DN="cn=syncrepluser,ou=security,dc=example,dc=com"
541875a7 conn=1010 op=0 RESULT tag=97 err=49 text=
541875a7 conn=1010 op=1 UNBIND
541875a7 conn=1010 fd=21 closed

I've been searching the Internet how to solve this issue without any luck. can someone point me to the right direction? Here is my conf for replication and chain in both master and slave:

#-----
# Master
#-----
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

#-----
# Slave
#-----
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov
olcModuleLoad: back_ldap

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldapmaster.com binddn="cn=syncReplUser,ou=Security,dc=example,dc=com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshAndPersist scope=sub retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on
-
add: olcUpdateRef
olcUpdateRef: ldap://ldapmaster.com

dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: chain
olcChainReturnError: TRUE

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: ldap://ldapmaster.com
olcDbRebindAsUser: TRUE
olcDbIDAssertBind: bindmethod=simple binddn="cn=syncReplUser,ou=Security,dc=example,dc=com" credentials=secret mode=self flags=prescriptive,proxy-authz-non-critical


Thanks in advanced