Hi,
I am trying to make ppolicy work when chain overlay is also configured.
Password lockout works. But changing password stopped working after
adding ppolicy. Here is part of log for changing password on a client
that binds to one consumer:
==============================================================================
Jun 11 17:20:18 ldap2 slapd[4090]: do_modify
Jun 11 17:20:18 ldap2 slapd[4090]: do_modify: dn
(uid=user1,ou=people,dc=example,dc=com)
Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>,
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: modifications:
Jun 11 17:20:18 ldap2 slapd[4090]: replace: userPassword
Jun 11 17:20:18 ldap2 slapd[4090]: one value, length 41
Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD
dn="uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD attr=userPassword
Jun 11 17:20:18 ldap2 slapd[4090]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=com")
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched=""
text=""
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result:
referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>,
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=50 matched=""
text="Must supply old password to be changed as well as new one"
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched=""
text=""
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result:
referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: msgid=8 tag=103
err=10
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response:
ref="ldaps://provider/uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 RESULT tag=103 err=10 text=
===============================================================================
Even though both old and new password were given, they seems not being
passed over to provider.
With chain overlay, how should I set up ppolicy so that real user's
password being passed along to provider properly?
My provider slapd.conf set up is:
.....
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
overlay ppolicy
ppolicy_default "cn=passwdpolicy,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Simon