Re: (ITS#4096) ppolicy overlay doesn't work when there are subordinate databases

[hyc@symas.com]

Spicer, Kevin wrote:
> Hi Howard,
>
> Sorry for not getting back sooner.
>
> I didn't make my exact setup clear.  All my user accounts are in the
> superior database, therefore I have never used the ppolicy overlay on
> the subordinate databases.  So when I said it worked in 2.2 what I meant
> was it worked against the superior database, in 2.3 it doesn't work at
> all.
>   

OK.

> Overlay order shouldn't be an issue as the only overlay I am using is
> ppolicy.
>   

Try putting an explicit
    overlay glue
in the slapd.conf, before your "overlay ppolicy" directive.
>
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com] 
> kevins@bmrb.co.uk wrote:
>   
>> I also neglected to mention that this was working fine in 2.2.19 with 
>> the ppolicy module from cvs hacked in.
>>     
> In what way did it "work fine" in 2.2? The glue code doesn't intercept
> Bind requests, in either 2.2 or 2.3. Nor does it intercept extended
> operations. In 2.2 it didn't intercept write operations of any kind.
>
> For 2.3, one would expect that configuring any overlay on the superior
> DB should take effect for all the subordinates as well. You may need to
> explicitly manage the order of overlay instances to get the desired
> effect, as noted in slapd.conf(5). Certainly the 2.3 glue code needs to
> be extended to support Binds.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/