I'm trying to setup OpenLDAP on CentOS7, in a provider/consumer
relationship. In general, provider/consumer is working quite well,
except when it comes to password policy.
Specifically, I want PwdFailureTime to be written to the provider from
one of the front end consumers when appropriate.
I'm lead to believe this requires:
a) ppolicy_foward_updates TRUE (done)
b) an appropriate syncrepl configuration for the consumer (I believe done)
c) updateref $LDAP-provider-URI (done)
d) an appropriate chain overlay on the provider (I think done)
e) appropriate ACLs on the provider to allow the consumer bind-user
access to manage PwdFailureTime (I believe done)
I've attempted all of the above, but the consumer (when run in debugging
mode), does not seem to be trying any updates upon authentication
failure. It gives no indication of modifying locally, or of trying to
contact the provider at all over this.
Any idea whats going wrong?