My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I
have a problem with chaining referrals from the 3 slaves to the master.
I followed the slapo-chain man page and chaining works:
moduleload back_ldap.la
overlay chain
chain-uri "ldaps://mercurius.intern"
chain-idassert-bind bindmethod="simple"
binddn="cn=proxy,dc=barlaeus,dc=nl"
credentials="secret"
chain-return-error true
cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on
the master.
The rootdn is not able to update passwords. I have no idea why the
rootdn shouldn't be able to update passwords (PASSMOD). However, it
seems to me that the chaining from the slave should be carried out as
the actual user and not rootdn. I can find nothing in slapo-chain or
slapd-ldap that lists this possibility.
Can anyone here help with this?