Pierangelo Masarati masarati@aero.polimi.it wrote:
Not necessarily. Every write to a well-configured replica should be rejected with a referral. The chain overlay will intercept the referral and chase it, applying the modification to the master. You need to check why no referral is returned, since the master's value eventually overrides the replica's. Either the configuration uses an identity that bypasses shadow checks (like the updatedn) or some SASL-related code (slap_auxprop_store?) is performing an internal modification with some special flag that bypasses shadow checks.
I beleive the offending code is in servers/slapd/sasl.h:slap_auxprop_store()
It seems we use the authc Id: slap_propnames[SLAP_SASL_PROP_AUTHC]
But there is no special flags: mod->sml_flags = 0;
Nothing in the logs on the master. On the client I have this at bind time: SASL [conn=219246] Error: SASL error opening password file. Do you have write permissions? SASL [conn=219246] Failure: Could not open db for write
But it happens all the time, OTP being used or not.