[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdPolicySubentry & replication user

To: Michael Starling <mlstarling31@hotmail.com>
Subject: Re: pwdPolicySubentry & replication user
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Tue, 8 May 2012 15:09:32 +0200
Cc: openldap <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=/2LtqlTP5bi/2qN39jIT2c7grbQE/4y2Mdx04aliJ64=; b=Ghe8aKACiKDz6bEuwf+WphP6LSkYovDv2SsXEGgQiRZvjnM7qa3kM2aWLHycNLAydT TJf7hPcUKRmXkW3DGiHPGtCPyLxznG3lVffeaDUy1VRsOVs4QJBWdKOkmU5kp0R34Xfm 08didlJPJlXiwYiSU19Xdkk33rU9xEKHzFmeXa/yAzPb2W8JhHcTse0skUrc3M1vRNDP V8YJ884HzgdD+e5kL/N9ewtTuqQ/ygkGthhzIHK09/EE7XH/FxGVBP9oxn6PCqiKEz1r fXhTodcFFh551ourCq3oG7ZSS+43vp4GF/Pqd3azajt+jkhpmQp36m48y0lXOr8pq+m3 eLEw==
In-reply-to: <COL104-W10DB477C0982F7F7E9405AD4130@phx.gbl>
References: <COL104-W10DB477C0982F7F7E9405AD4130@phx.gbl>

2012/5/7 Michael Starling <mlstarling31@hotmail.com>:
> Consider the following password policy entry to disable password expiration.
>
> dn: cn=noexpire,ou=policies,dc=umlott,dc=lott
> cn: noexpire
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> sn: Password Policy
> pwdAttribute: UserPassword
> pwdMaxAge: 0
> pwdLockout: FALSE
> description: Non-Expiring password policy for service accounts.
> ===============================================
>
> The following LDIF attaches this policy to the 3 users below:
>
> dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
>
> dn: cn=bind,ou=Service,dc=umlott,dc=lott
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
>
> dn: cn=replicator,ou=Service,dc=umlott,dc=lott
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
>
>
> This all works well and good when setting up my first LDAP server, however
> when I setup another LDAP server in mirror mode to the first server the
> pwdPolicySubentry attribute doesn't carry over to the the second node and I
> start to see this in the slapd logs:
>
> ppolicy_bind: Setting warning for password expiry for
> cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
>
>
> What's interesting is that the other two accounts that have the noexpire
> policy attached carry over the pwdPolicySubentry attribute just fine to the
> second node.
>
>
> Any insight would be greatly appreciated.

Could you give us the OpenLDAP version you are running? Then, can you
check that operational attributes are well synchronized?

Clément.

Follow-Ups:
- RE: pwdPolicySubentry & replication user
  - From: Michael Starling <mlstarling31@hotmail.com>

References:
- pwdPolicySubentry & replication user
  - From: Michael Starling <mlstarling31@hotmail.com>

Prev by Date: Re: acl filter problem
Next by Date: Lock table is out of available locks
Index(es):
- Chronological
- Thread