ppolicy+syncrpl: pwd* attributes lost

List overview All Threads
Download

newer

older

Query regarding the Transaction...

Re: slapd replication (push based)

Chris G. Sellers

25 Jun 2008 25 Jun '08

10:35 a.m.

I have n-way multimaster replication setup. Works great.

I have slapo_ppolicy setup, it too works.

the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server.

So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted

The same goes if I use server2 and look at server1.

At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact. Any ideas? I know I must have something missing but I'm just not seeing it.

---

password-hash {SSHA}

########################################################################### database bdb suffix "dc=nitle,dc=org" rootdn "cn=MASTERUSER,dc=nitle,dc=org" rootpw {SSHA}WAYTOOSECRETFORYOU directory /home/ldap/openldap/var/openldap-data

serverID 1 limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited

syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog

syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog

overlay syncprov mirrormode true

## INDICES TO MAINTAIN index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq

## PASSWORD POLICY OVERLAY ## overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org" ppolicy_hash_cleartext # ppolicy_use_lockout

++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd

Attachments:

attachment.htm (text/html — 7.2 KB)

Show replies by date

Gavin Henry

26 Jun 26 Jun

6:07 a.m.

Chris G. Sellers wrote:

...

I have n-way multimaster replication setup. Works great.

I have slapo_ppolicy setup, it too works.

the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server.

So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted

The same goes if I use server2 and look at server1.

At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact. Any ideas? I know I must have something missing but I'm just not seeing it.

password-hash {SSHA}

########################################################################### database bdb suffix "dc=nitle,dc=org" rootdn "cn=MASTERUSER,dc=nitle,dc=org" rootpw {SSHA}WAYTOOSECRETFORYOU directory /home/ldap/openldap/var/openldap-data

serverID 1 limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited

syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog

syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes

attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog

overlay syncprov mirrormode true

## INDICES TO MAINTAIN index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq

## PASSWORD POLICY OVERLAY ## overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org" ppolicy_hash_cleartext # ppolicy_use_lockout

++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org mailto:chris.sellers@nitle.org Jabber: csellers@nitle.org mailto:csellers@nitle.org | AIM: imthewherd

Where are your ACLs?

-- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry@OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

Chris G. Sellers

12:05 p.m.

I thought about that, but checked and I think they are okay.

The last entry in the ACL list has an entry like this

access to * by dn.exact="cn=repluser,ou=ou,dc=nitle,dc=org" write by dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" write

where the replication users are given write access You think maybe I need to be explicit since their are EAs ?

On Jun 26, 2008, at 9:07 AM, Gavin Henry wrote:

...

Chris G. Sellers wrote:

...
I have n-way multimaster replication setup. Works great. I have slapo_ppolicy setup, it too works. the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server. So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted The same goes if I use server2 and look at server1. At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact. Any ideas? I know I must have something missing but I'm just not seeing it.

password-hash {SSHA} ########################################################################### database bdb suffix "dc=nitle,dc=org" rootdn "cn=MASTERUSER,dc=nitle,dc=org" rootpw {SSHA}WAYTOOSECRETFORYOU directory /home/ldap/openldap/var/openldap-data serverID 1 limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog overlay syncprov mirrormode true ## INDICES TO MAINTAIN index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq ## PASSWORD POLICY OVERLAY ## overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org" ppolicy_hash_cleartext # ppolicy_use_lockout ++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org <mailto:chris.sellers@nitle.org

...
Jabber: csellers@nitle.org mailto:csellers@nitle.org | AIM: imthewherd

Where are your ACLs?

-- Kind Regards,

Gavin Henry. OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/

++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd

Gavin Henry

12:40 p.m.

New subject: ppolicy+syncrpl: pwd* attributes lost

2008/6/26 Chris G. Sellers Chris.Sellers@nitle.org:

...

I thought about that, but checked and I think they are okay.

The last entry in the ACL list has an entry like this

access to * by dn.exact="cn=repluser,ou=ou,dc=nitle,dc=org" write by dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" write

Remember it's top down when they get assessed:

and add

by * break

-- http://www.suretecsystems.com/services/openldap/

Chris G. Sellers

1:01 p.m.

Ok, I did find part of my error. It was not explicitly named in the syncrepl statement. I added pwdChangedTime and pwdHistory to the syncrepl attrs line and it does sync them now -- but only if they already exist. The account does not have a pwdChangedTime, and you change the password on servera, serverb does not get the attribute populated. I will have to monitor the logs to see.

Thanks for making me think different about the problem.

--line changed --

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp ,modifiersName ,modifyTimestamp,pwdPolicySubentry,pwdChangedTime,pwdHistory"

On Jun 26, 2008, at 9:07 AM, Gavin Henry wrote:

...

Chris G. Sellers wrote:

...
I have n-way multimaster replication setup. Works great. I have slapo_ppolicy setup, it too works. the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server. So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted The same goes if I use server2 and look at server1. At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact. Any ideas? I know I must have something missing but I'm just not seeing it.

password-hash {SSHA} ########################################################################### database bdb suffix "dc=nitle,dc=org" rootdn "cn=MASTERUSER,dc=nitle,dc=org" rootpw {SSHA}WAYTOOSECRETFORYOU directory /home/ldap/openldap/var/openldap-data serverID 1 limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog overlay syncprov mirrormode true ## INDICES TO MAINTAIN index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq ## PASSWORD POLICY OVERLAY ## overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org" ppolicy_hash_cleartext # ppolicy_use_lockout ++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org <mailto:chris.sellers@nitle.org

...
Jabber: csellers@nitle.org mailto:csellers@nitle.org | AIM: imthewherd

Where are your ACLs?

-- Kind Regards,

Gavin Henry. OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/

++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd

Gavin Henry

1:22 p.m.

...

Ok, I did find part of my error. It was not explicitly named in the syncrepl statement. I added pwdChangedTime and pwdHistory to the syncrepl attrs line and it does sync them now -- but only if they already exist. The account does not have a pwdChangedTime, and you change the password on servera, serverb does not get the attribute populated. I will have to monitor the logs to see.

Thanks for making me think different about the problem.

--line changed --

attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"

Why not just leave it as default:

"The attrs list defaults to "*,+" to return all user and operational attributes, and attrsonly is unset by default."

-- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry@OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

Quanah Gibson-Mount

1:53 p.m.

--On June 26, 2008 4:01:50 PM -0400 "Chris G. Sellers" Chris.Sellers@nitle.org wrote:

...

Ok, I did find part of my error. It was not explicitly named in the syncrepl statement. I added pwdChangedTime and pwdHistory to the syncrepl attrs line and it does sync them now -- but only if they already exist. The account does not have a pwdChangedTime, and you change the password on servera, serverb does not get the attribute populated. I will have to monitor the logs to see.

Why are you setting the attrs= line at all? Looks to me like you should just be using the default value (attrs="*,+"), and leaving it out of your syncrepl configuration entirely. You should only ever set the attrs= line in the syncrepl stanza if you want partial replication done.

--Quanah

Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

Chris G. Sellers

3:21 p.m.

Thanks folks - I missed that in the doco. I'll make those adjustments :)

Best wishes.

Sellers

On Jun 26, 2008, at 4:53 PM, Quanah Gibson-Mount wrote:

...

--On June 26, 2008 4:01:50 PM -0400 "Chris G. Sellers" <Chris.Sellers@nitle.org

...
wrote:

...
Ok, I did find part of my error. It was not explicitly named in the syncrepl statement. I added pwdChangedTime and pwdHistory to the syncrepl attrs line and it does sync them now -- but only if they already exist. The account does not have a pwdChangedTime, and you change the password on servera, serverb does not get the attribute populated. I will have to monitor the logs to see.

Why are you setting the attrs= line at all? Looks to me like you should just be using the default value (attrs="*,+"), and leaving it out of your syncrepl configuration entirely. You should only ever set the attrs= line in the syncrepl stanza if you want partial replication done.

--Quanah

--

Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc

Zimbra :: the leader in open source messaging and collaboration

5874

Age (days ago)

5875

Last active (days ago)

openldap-software@openldap.org

7 comments

5 participants

tags (0)

participants (5)

Chris G. Sellers
Chris G. Sellers
Gavin Henry
Gavin Henry
Quanah Gibson-Mount