[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy+syncrpl: pwd* attributes lost
I thought about that, but checked and I think they are okay.
The last entry in the ACL list has an entry like this
access to *
by dn.exact="cn=repluser,ou=ou,dc=nitle,dc=org" write
by dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" write
where the replication users are given write access
You think maybe I need to be explicit since their are EAs ?
On Jun 26, 2008, at 9:07 AM, Gavin Henry wrote:
Chris G. Sellers wrote:
I have n-way multimaster replication setup. Works great.
I have slapo_ppolicy setup, it too works.
the problem I appear to have is that whichever server does the
password change, the pwd* attributes are set, and then removed from
the other server.
So, if I do a password change on server1, the record for user A on
server1 shows pwdChangedTime
The record for user A on server2 shows the modificationTime but the
pwdChangedTime is deleted
The same goes if I use server2 and look at server1.
At first, I thought it may be due to the clear_hash setting, but
that didn't seem to make an impact. Any ideas? I know I must have
something missing but I'm just not seeing it.
---
password-hash {SSHA}
###########################################################################
database bdb
suffix "dc=nitle,dc=org"
rootdn "cn=MASTERUSER,dc=nitle,dc=org"
rootpw {SSHA}WAYTOOSECRETFORYOU
directory /home/ldap/openldap/var/openldap-data
serverID 1
limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org"
size=unlimited time=unlimited
syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999
binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple
credentials=OOOOOHHHH searchbase="dc=nitle,dc=org"
type=refreshAndPersist scope=sub
interval=00:00:00:10 retry="15 5 300 +" timeout=1
schemachecking=off starttls=yes
attrs
=
"*,structuralObjectClass
,entryUUID
,entryCSN
,creatorsName
,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"
# syncdata=accesslog
syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999
binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple
credentials=OOOOOHHHH searchbase="dc=nitle,dc=org"
type=refreshAndPersist schemachecking=off scope=sub
interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes
attrs
=
"*,structuralObjectClass
,entryUUID
,entryCSN
,creatorsName
,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"
# syncdata=accesslog
overlay syncprov
mirrormode true
## INDICES TO MAINTAIN
index objectClass eq
index cn,mail,surname,givenname
eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
## PASSWORD POLICY OVERLAY ##
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org"
ppolicy_hash_cleartext
# ppolicy_use_lockout
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers | Internet Engineer | NITLE
734.661.2318 | chris.sellers@nitle.org <mailto:chris.sellers@nitle.org
>
Jabber: csellers@nitle.org <mailto:csellers@nitle.org> | AIM:
imthewherd
Where are your ACLs?
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry@OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers | Internet Engineer | NITLE
734.661.2318 | chris.sellers@nitle.org
Jabber: csellers@nitle.org | AIM: imthewherd