Hi,
I am trying to make ppolicy work when chain overlay is also configured.
Password lockout works. But changing password stopped working after adding ppolicy. Here is part of log for changing password on a client that binds to one consumer:
============================================================================== Jun 11 17:20:18 ldap2 slapd[4090]: do_modify Jun 11 17:20:18 ldap2 slapd[4090]: do_modify: dn (uid=user1,ou=people,dc=example,dc=com) Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com>, <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: modifications: Jun 11 17:20:18 ldap2 slapd[4090]: replace: userPassword Jun 11 17:20:18 ldap2 slapd[4090]: one value, length 41 Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD dn="uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD attr=userPassword Jun 11 17:20:18 ldap2 slapd[4090]: bdb_dn2entry("uid=user1,ou=people,dc=example,dc=com") Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched="" text="" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com>, <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=50 matched="" text="Must supply old password to be changed as well as new one" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched="" text="" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: msgid=8 tag=103 err=10 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: ref="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 RESULT tag=103 err=10 text= ===============================================================================
Even though both old and new password were given, they seems not being passed over to provider.
With chain overlay, how should I set up ppolicy so that real user's password being passed along to provider properly?
My provider slapd.conf set up is:
..... index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq
overlay ppolicy ppolicy_default "cn=passwdpolicy,ou=policies,dc=example,dc=com" ppolicy_use_lockout
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Simon