After doing some research and posting on some
incorrect mailing lists I have found out that this has to do with the
Password Policy module and requires to be configured in the slapd.conf. I
noticed that the default slapd.conf file I was using included the
ppolicy.schema, but no modules were loaded. Since I was unsure of the use
of ppolicy.schema I commented it out from slapd.conf. This changed
nothing.
Why would one version throw this error and the other version not?
Current slapd.conf file:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
#include /usr/local/etc/openldap/schema/ppolicy.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by anonymous auth
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#######################################################################
# BDB database definitions
#######################################################################
allow bind_v2 bind_anon_dn
database bdb
suffix "dc=motogroup,dc=com"
rootdn "cn=Administrator,dc=motogroup,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}JZ6/Ojy0YGqXdnEnhLHgqw==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
Old slapd.conf file (working):
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/sudo.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attr=userPassword,userPKCS12
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/ldap.pem
TLSCertificateKeyFile /usr/share/ssl/certs/ldap.pem
allow bind_v2 bind_anon_dn
database bdb
suffix "dc=motogroup,dc=com"
rootdn "cn=Administrator,dc=motogroup,dc=com"
rootpw "{crypt}DA5U3tdjldJ0M"
directory /var/lib/ldap
checkpoint 1024 5
cachesize 10000
loglevel 256
replogfile /var/lib/ldap/replog
replica uri=ldap://linuxadm03:389
binddn="cn=Administrator, dc=motogroup, dc=com"
bindmethod=simple credentials="admin10nt"
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
Error messages:
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 fd=20 ACCEPT from
IP=10.101.25.2:33144 (IP=0.0.0.0:389)
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=0 BIND dn="" method=128
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=0 RESULT tag=97 err=0
text=
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=1 SRCH
base="dc=motogroup,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=testu))"
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=2 BIND
dn="uid=testu,ou=people,dc=motogroup,dc=com" method=128
Jun 1 08:05:30 linuxadm03 slapd[8939]: slap_global_control: unrecognized
control: 1.3.6.1.4.1.42.2.27.8.5.1
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=2 RESULT tag=97 err=49
text=
Account Info:
# testu, people, motogroup.com
dn: uid=testu,ou=people,dc=motogroup,dc=com
givenName: Test
sn: User
cn: Test User
mail: test.user@motoristsgroup.com
uid: testu
uidNumber: 2001
gidNumber: 3000
homeDirectory: /home/testu
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowLastChange: 13047
shadowWarning: 7
shadowMin: -1
shadowExpire: -1
shadowFlag: 0
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top