[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy in back_ldap?

To: "masarati@aero.polimi.it" <masarati@aero.polimi.it>
Subject: Re: ppolicy in back_ldap?
From: Tyler Gates <tjgates@castlebranch.com>
Date: Thu, 22 Apr 2010 21:22:32 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <8f27818e1f3ce1d0e365c7e63271b94d.squirrel@www.aero.polimi.it>
References: <D0CA19AB-C820-46BF-970F-B21C64E38305@castlebranch.com> <157d56b56975a667dc1cc0ce997dafc0.squirrel@www.aero.polimi.it> <4BD0748A.9030604@castlebranch.com> <8fe1d7b9e46de9a6cbf69d21b079f627.squirrel@www.aero.polimi.it> <4BD08E87.4090708@castlebranch.com> <d4bd5b0909fd15147f6625229f8f126e.squirrel@www.aero.polimi.it> <4BD0B54C.4020403@castlebranch.com> <8f27818e1f3ce1d0e365c7e63271b94d.squirrel@www.aero.polimi.it>



On Apr 22, 2010, at 4:54 PM, masarati@aero.polimi.it wrote:

I've noticed the following in the logs though which confuses meeven
more:

PROXIED attributeDescription "PWDHISTORY" inserted.
PROXIED attributeDescription "PWDPOLICYSUBENTRY" inserted.
PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
This is a clear indication the schema is ***not*** loaded. That'swhy Iasked. The ppolicy schema is loaded by default when slapo-ppolicyis
built statically in slapd.  Otherwise you need to either load
ppolicy.schema, or load the ppolicy.la module. In any case, theschemamust be present also on the proxy, even though the proxy does notneed
to
have the overlay instantiated.  It would be waaaaaay easier if you
posted
your remote host & proxy configuration, and detailed how OpenLDAPwas
built (namely, static or dynamic modules).

p.
I failed to mention the above messages where after I removed ppolicy.
I'm using third party rpms from Buchan, it is built dynamic modules:
#####################################################3
Name : openldap2.4-servers Relocations: (notrelocatable)Version : 2.4.18 Vendor:TelkomInternetRelease : 1.rhel5 Build Date: Fri 18 Sep2009
05:43:56 AM EDT
Install Date: Mon 21 Sep 2009 05:47:01 PM EDT      Build Host:
build.telkomsa.net
Group       : System/Servers                Source RPM:
openldap2.4-2.4.18-1.rhel5.src.rpm
Size        : 4774420                          License: Artistic
Signature   : DSA/SHA1, Fri 18 Sep 2009 05:52:27 AM EDT, Key ID
ac92ba5060d204a7
Packager    : Buchan Milne <bgmilne@staff.telkomsa.net>
URL         : http://www.openldap.org
Summary     : OpenLDAP servers and related files
Description :
OpenLDAP Servers
This package contains the OpenLDAP server, slapd (LDAP server),additional
backends, configuration files, schema definitions required for
operation, and
database maintenance tools

This server package was compiled with support for the berkeley
database library.
###########################################################
Below are my configs (database config was added so I could convertoverto cn=config which I can assure has not changed since I convertedit):
PROXY:

include    /usr/share/openldap2.4/schema/core.schema
include    /usr/share/openldap2.4/schema/cosine.schema
include    /usr/share/openldap2.4/schema/corba.schema
include    /usr/share/openldap2.4/schema/inetorgperson.schema
include    /usr/share/openldap2.4/schema/java.schema
include    /usr/share/openldap2.4/schema/krb5-kdc.schema
include /usr/share/openldap2.4/schema/kerberosobject.schema
include    /usr/share/openldap2.4/schema/nis.schema
include    /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/autofs.schema
include /usr/share/openldap2.4/schema/samba.schema
include /usr/share/openldap2.4/schema/kolab.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/calendar.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/dnszone.schema
include /usr/share/openldap2.4/schema/dhcp.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
I see. What I note is that some of the schema elements are onlydefinedby the overlay itself, they are not specified in the schema file.This
makes sense, because they are operational, and slapd does not allow to
specify operational attributes in the configuration. For thispurpose,
you need to

moduleload ppolicy.la
in your proxy configuration, *without* configuring the ppolicyoverlay onthe proxy database. This should make all attributes related toppolicyknown to the proxy. Does this solve all your issue, or is thereanything
left?  I mean, apart from the fix to ITS#6530, that allows to proxy
control responses on successful binds.

p.

Yes! Your solution of loading the module but not configuring it on theproxy solved the false alarms on the proxy and did allow searches forthe attributes to be recognized.My only problem now as you pointed out is in the ITS where passwordpolicy controls are not being sent back to the proxy.


Thanks for you help :)

References:
- ppolicy in back_ldap?
  - From: Tyler Gates <tjgates@castlebranch.com>
- Re: ppolicy in back_ldap?
  - From: masarati@aero.polimi.it
- Re: ppolicy in back_ldap?
  - From: Tyler Gates <tjgates@castlebranch.com>
- Re: ppolicy in back_ldap?
  - From: masarati@aero.polimi.it
- Re: ppolicy in back_ldap?
  - From: Tyler Gates <tjgates@castlebranch.com>
- Re: ppolicy in back_ldap?
  - From: masarati@aero.polimi.it
- Re: ppolicy in back_ldap?
  - From: Tyler Gates <tjgates@castlebranch.com>
- Re: ppolicy in back_ldap?
  - From: masarati@aero.polimi.it

Prev by Date: Re: ppolicy in back_ldap?
Next by Date: Certificate authentication and back-ldap proxy
Index(es):
- Chronological
- Thread