[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Password - Ldap update
We have RH5 servers with openldap-2.3.43 used to authenticate systems
via ldap and pam settings. We are using a single master and our
consumers run in refreshOnly mode. The consumers are placed on various
networks so the systems do not need to traverse a bunch of routers to
contact the server for authentication. The consumer is the first
server listed in the ldap.conf files and the provider is listed as the
secondary for the systems. We need to allow only certain users to
change their passwords via the passwd command and will be trying to
figure out an ACl to put in the servers slapd.conf files to accomplish
this.
The question is, if the system authenticates against a consumer which is
read only and their password has expired, when they try to change their
password I assume that the command will fail since it can not write to
the consumer which is read only? If this is the case and the provider
is listed as a secondary or the slapd.conf file for the consumer has the
provider listed as the updateref, will the system try the provider when
it can not write to the consumer?
Unfortunately, I am unable to test this right now and wanted to get some
feedback on how this works.