I have a master-slave configuration, sync'ed with syncrepl. Most of my LDAP clients connect directly to the slave servers. Some of my client can handle referrals, but others cannot. For this reason, I use the 'chain' overlay.
The configuration works fine when I have 'pam_password clear' in my clients' ldap.conf. But with 'pam_password md5', the clients are not sending the control messaging for ppolicy. This seems to be a pam_ldap issue, but I cannot seem to track it down and correct it.
It has been suggested that I use the 'pam_password exop' option on the clients as a work-around for the pam_ldap issue. Doing this, I get hashed passwords, as well as correct ppolicy control messaging, and everything works fine doing this in my other (lab) scenario where I am not required to use chaining. BUT, in my chaining config, when the user makes a password change, instead of the user's password being changed, the chain's bind password is changed. NOTE: I do not employ SASL.
Is this configuration supported? Anyone know why the chain's bind password would be getting changed, instead of the user's?
Thanks, Joe _________________________________________________________________ Windows Live Hotmail gives you a free,exclusive gift. http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?oc...