[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password - Ldap update

On Mon, 13 Jun 2011 15:44 -0600, ldap@mm">ldap@mm.st wrote:
> We have RH5 servers with openldap-2.3.43 used to authenticate systems
> via ldap and pam settings.  We are using  a single master and our
> consumers run in refreshOnly mode.  The consumers are placed on various
> networks so the systems do not need to traverse a bunch of routers to
> contact the server for authentication.  The consumer is  the first
> server listed in the ldap.conf files and the provider is listed as the
> secondary for the systems.  We need to allow only certain users to
> change their passwords via the passwd command and will be trying to
> figure out an ACl to put in the servers slapd.conf files to accomplish
> this.
> The question is, if the system authenticates against a consumer which is
> read only and their password has expired,  when they try to change their
> password I assume that the command will fail since it can not write to
> the consumer which is read only?   If this is the case and the provider
> is listed as a secondary or the slapd.conf file for the consumer has the
> provider listed as the updateref, will the system try the provider when
> it can not write to the consumer? 
> Unfortunately, I am unable to test this right now and wanted to get some
> feedback on how this works.

Haven't had a chance to try the chain overlay that was suggested yet,
but we were able to try changing the password on of the consumers and
the password was updated properly on the provider.  The updateref
setting on the consumers seems to be  work with the passwd command.