[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chain and ppolicy question



<quote who="Tony Earnshaw">
> Gavin Henry skrev, on 06-12-2007 23:13:
>
>>> My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I
>>> have a problem with chaining referrals from the 3 slaves to the master.
>>> I followed the slapo-chain man page and chaining works:
>>>
>>> moduleload      back_ldap.la
>>>
>>> overlay chain
>>>
>>> chain-uri               "ldaps://mercurius.intern"
>>> chain-idassert-bind     bindmethod="simple"
>>>                         binddn="cn=proxy,dc=barlaeus,dc=nl"
>>>                         credentials="secret"
>>> chain-return-error      true
>>>
>>> cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on
>>> the master.
>>>
>>> The rootdn is not able to update passwords. I have no idea why the
>>> rootdn shouldn't be able to update passwords (PASSMOD). However, it
>>> seems to me that the chaining from the slave should be carried out as
>>> the actual user and not rootdn. I can find nothing in slapo-chain or
>>> slapd-ldap that lists this possibility.
>>>
>>> Can anyone here help with this?
>>>
>>
>> What are you logs/-d saying?
>
> It's been a while since and up to now I've only had logs going back 5
> days (I've increased this to 21 days now, but that doesn't help here).
>
> Basically, the rootdn bound, issued a PASSMOD instruction for
> userPassword and got a reply tag=103 error=0; it then did a MOD
> instruction for shadowLastChange and got the same. userPassword wasn't
> changed, but shadowLastChange was.
>
> By having the slave server connect directly to the provider instead of
> using the consumer's chain function, all happens as expected, so that's
> the workaround at the present- but it's far from optimal.

The slave connect directly to the provider? What does that mean? Surely
the slave issues a referral and the client follows it?

>
> Best,
>
> --Tonni
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
>