Hallo all,
I am losing something important about ppolicy and (syncrepl) replication.
master openldap has a mdb database with the following overlays: # {0}ppolicy, {1}mdb, config dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=pre_default,ou=policies,dc=example,dc=org
# {1}syncprov, {1}mdb, config dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpCheckpoint: 20 10 olcSpSessionlog: 500
ppolicy works fine on master:
ldapwhoami -x -ZZ -h master.example.org -D uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy ldap_bind: Invalid credentials (49); Password expired
entry is: sudo ldapsearch -H ldapi:/// -Y EXTERNAL 'uid=malvezzi' + SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
# malvezzi, people, example.org dn: uid=malvezzi,ou=people,dc=example,dc=org structuralObjectClass: inetOrgPerson entryUUID: 982dbc48-f125-1032-8ef6-db4e8deee77a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20131204114727Z pwdHistory: 20140428131956Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YC2cJflzdWc tkxDL2xBR+TDj/oRWzGAh pwdHistory: 20140428132623Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}vHW/cNKDwZT kM0pMFJ/venY9OhYR+T2c pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org pwdChangedTime: 20140311071845Z entryCSN: 20140428135251.204124Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140428135251Z subschemaSubentry: cn=Subschema hasSubordinates: FALSE
On the replica slave ppolicy look inactive: ldapwhoami -x -H ldapi:/// -D uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy dn:uid=malvezzi,ou=people,dc=example,dc=org
entry on slave looks correct: ldapsearch -x -h slave.example.org -ZZ -D uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy 'uid=malvezzi' +
dn: uid=malvezzi,ou=people,dc=example,dc=org structuralObjectClass: inetOrgPerson entryUUID: 982dbc48-f125-1032-8ef6-db4e8deee77a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20131204114727Z pwdHistory: 20140428131956Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YC2cJflzdWc tkxDL2xBR+TDj/oRWzGAh pwdHistory: 20140428132623Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}vHW/cNKDwZT kM0pMFJ/venY9OhYR+T2c pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org pwdChangedTime: 20140311071845Z entryCSN: 20140428135251.204124Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140428135251Z subschemaSubentry: cn=Subschema hasSubordinates: FALSE
(on slave): ldapsearch -H ldapi:/// -Y EXTERNAL cn=default30g
dn: cn=default30g,ou=policies,dc=example,dc=org cn: default30g pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdExpireWarning: 60000 pwdFailureCountInterval: 30 pwdInHistory: 2 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 2592000 pwdMaxFailure: 0 pwdMinAge: 0 pwdMustChange: TRUE pwdSafeModify: FALSE sn: scadenza password ogni 30 giorni pwdGraceAuthNLimit: 0 pwdMinLength: 8 objectClass: person objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckQuality: 1 pwdCheckModule: check_password.so
ppolicy overlay is enabled on the replica database.
Should I enable ppolicy overlay on glue database as well?
If I type wrong password, master adds a pwdFailureTime line; slave does not.
What am I missing?
Thank you all,
Francesco