OpenLDAP 2.4.23-26 on CentOS 5. I am trying to get the pwdFailureTime updated on the master when the slave recieves a password failure. Here is my config. It's pretty simple and basic. No TLS.

Master:

access to attrs=userPassword
        by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write
        by dn.exact="cn=replication,dc=test,dc=net" read
        by self         write
        by anonymous    auth
        by *            none
access to *
        by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write
        by dn.exact="cn=replication,dc=test,dc=net" write
        by self         write
        by users        read
        by anonymous    read
        by *            none



Slave:

overlay chain
chain-uri               ldap://172.16.0.84:389
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=simple
                        binddn="cn=replication,dc=test,dc=net"
                        credentials="MyPasswd"
                        mode="self"
chain-return-error      TRUE

# Password Policy
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=test,dc=net
ppolicy_use_lockout
ppolicy_forward_updates


# Slave Replication
syncrepl rid=101
        provider=ldap://172.16.0.84:389
        type=refreshAndPersist
        interval=00:00:01:00
        retry="60 10 300 +"
        searchbase="dc=test,dc=net"
        schemachecking=off
        bindmethod=simple
        binddn="cn=replication,dc=test,dc=net"
        credentials="MyPasswd"
updateref               "ldap://172.16.0.84:389"



I see the connection on the master but it gives a permission error:


Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD dn="cn=testuser,ou=People,dc=test,dc=net"
Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD attr=pwdFailureTime
Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 RESULT tag=103 err=50 text=


I read that you maybe need authzTo added to the binddn for the chain? Or is this only for TLS?

I tried adding this ldif:

dn: cn=replication,dc=test,dc=net
changetype: modify
add: authzTo
authzTo: *

And even set the:

chain-idassert-authzFrom "*"

in the chain. But it always gives me the error code 50 not enough permissions. I believe it is supposed to give access to the user to MOD the pwdFailureTime tribute knowing it is coming from a relay. But I can't find very specific docs on this or see what is wrong. Any help apreciated.

Thanks,
Brad