This question was asked on the OpenLDAP ML but was rejected as "Off
Topic". I have little hope that it will be answered on this list unless
one of the OpenLDAP.org occasional lurkers sees it (like Howard Chu or
really OpenLDAP knowledgeable people) happen to see it.
Anyway, here goes:
OpenLDAP 2.3.38.
My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I
have a problem with chaining referrals from the 3 slaves to the master.
I followed the slapo-chain man page and chaining works:
moduleload back_ldap.la
overlay chain
chain-uri "ldaps://mercurius.intern"
chain-idassert-bind bindmethod="simple"
binddn="cn=proxy,dc=barlaeus,dc=nl"
credentials="secret"
chain-return-error true
cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on
the master.
/etc/ldap.conf is configured for pam_exop, my ACLs allow users to write
the necessary attributes for ppolicy. The users have to authenticate as
themselves for ppolicy to work.
If I configure /etc/ldap.conf to go directly to the master for password
updates, they bind as themselves and ppolicy works for changing
passwords (PASSMOD). But if configure it to go to the local, chaining,
slave, the slave binds as the rootdn. The master log at -d Stats shows
no error, but the password is left unchanged (shadoowLastChange *is*
updated). I want to cut down the load on the master, which is doing
enough already without having to cope with all nss/pam stuff from 3 slaves.
I have no idea why the rootdn shouldn't be able to update passwords
(PASSMOD). However, it seems to me that the chaining from the slave
should be carried out as the user and not rootdn. I can find nothing in
slapo-chain or slapd-ldap that lists this possibility.
Can anyone here help with the chaining bit?
Best,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
