Re: Replication and user password change

6 Apr 2012


      On 04/04/2012 05:59 PM, anax wrote:
Hello,
...
updateref               ldap://ldapmaster.symas.com
http://www.openldap.org/doc/admin24/replication.html#Replication%20Technolog...
Well after reading the docs, I made some test on a VM.
My goal is to allow users to change there password.
I have a working replication VM. On this VM I can login with my LDAP
password (PAM on this VM is client of the replica).
When I try to change the password, using the passwd cmd this error occurs:
% passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Referral
passwd: Permission denied
passwd: password unchanged
In the log I found that:
Apr  6 15:44:17 debian slapd[3044]: <<< dnPrettyNormal: <>, <>
Apr  6 15:44:17 debian slapd[3044]: SRCH "" 0 0
Apr  6 15:44:17 debian slapd[3044]:     1 0 0
Apr  6 15:44:17 debian slapd[3044]:     filter:
(?objectClass=passwordPolicy)
Apr  6 15:44:17 debian slapd[3044]:     attrs:
Apr  6 15:44:17 debian slapd[3044]:
Apr  6 15:44:17 debian slapd[3044]: conn=1007 op=7 SRCH base="" scope=0
deref=0 filter="(?objectClass=passwordPolicy)"
Apr  6 15:44:17 debian slapd[3044]: send_ldap_result: conn=1007 op=7 p=3
Apr  6 15:44:17 debian slapd[3044]: send_ldap_result: err=0 matched=""
text=""
Apr  6 15:44:17 debian slapd[3044]: send_ldap_response: msgid=8 tag=101
err=0
Apr  6 15:44:17 debian slapd[3044]: conn=1007 op=7 SEARCH RESULT tag=101
err=0 nentries=0 text=
Apr  6 15:44:22 debian slapd[3044]: connection_get(17)
Apr  6 15:44:22 debian slapd[3044]: connection_get(17): got connid=1007
Apr  6 15:44:22 debian slapd[3044]: connection_read(17): checking for
input on id=1007
Apr  6 15:44:22 debian slapd[3044]: op tag 0x66, time 1333719862
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 do_modify
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 do_modify: dn
(cn=Test Test,ou=People,dc=example,dc=com)
Apr  6 15:44:22 debian slapd[3044]: >>> dnPrettyNormal: <cn=Test
Test,ou=People,dc=example,dc=com>
Apr  6 15:44:22 debian slapd[3044]: <<< dnPrettyNormal: <cn=Test
Test,ou=People,dc=example,dc=com>, <cn=test
test,ou=people,dc=example,dc=com>
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 modifications:
Apr  6 15:44:22 debian slapd[3044]: #011replace: userPassword
Apr  6 15:44:22 debian slapd[3044]: #011#011one value, length 20
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 MOD dn="cn=Test
Test,ou=People,dc=example,dc=com"
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 MOD attr=userPassword
Apr  6 15:44:22 debian slapd[3044]: bdb_dn2entry("cn=test
test,ou=people,dc=example,dc=com")
Apr  6 15:44:22 debian slapd[3044]: send_ldap_result: conn=1007 op=8 p=3
Apr  6 15:44:22 debian slapd[3044]: send_ldap_result: err=10 matched=""
text=""
Apr  6 15:44:22 debian slapd[3044]: send_ldap_result:
referral="ldaps://ldap.example.com/cn=Test%20Test,ou=People,dc=example,dc=com"
Apr  6 15:44:22 debian slapd[3044]: send_ldap_response: msgid=9 tag=103
err=10
Apr  6 15:44:22 debian slapd[3044]: send_ldap_response:
ref="ldaps://ldap.example.com/cn=Test%20Test,ou=People,dc=example,dc=com"
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=8 RESULT tag=103 err=10
text=
Apr  6 15:44:22 debian slapd[3044]: connection_get(17)
Apr  6 15:44:22 debian slapd[3044]: connection_get(17): got connid=1007
Apr  6 15:44:22 debian slapd[3044]: connection_read(17): checking for
input on id=1007
Apr  6 15:44:22 debian slapd[3044]: op tag 0x42, time 1333719862
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=9 do_unbind
Apr  6 15:44:22 debian slapd[3044]: conn=1007 op=9 UNBIND
Apr  6 15:44:22 debian slapd[3044]: connection_close: conn=1007 sd=17
Apr  6 15:44:22 debian slapd[3044]: conn=1007 fd=17 closed
Apr  6 15:44:22 debian slapd[3044]: connection_get(16)
Apr  6 15:44:22 debian slapd[3044]: connection_get(16): got connid=1006
Apr  6 15:44:22 debian slapd[3044]: connection_read(16): checking for
input on id=1006
Apr  6 15:44:22 debian slapd[3044]: ber_get_next on fd 16 failed errno=0
(Success)
Apr  6 15:44:22 debian slapd[3044]: connection_close: conn=1006 sd=16
Apr  6 15:44:22 debian slapd[3044]: conn=1006 fd=16 closed (connection lost)
Why objectClass=passwordPolicy? I can find those kind of objectClass in
my base.
I read that I need some ACL. But where did I have to put them?
I the master I've already some ACL:
access to attrs=userPassword,shadowLastChange
        by self write
        by dn="cn=syncuser,dc=example,dc=com" read
        by anonymous auth
        by * none
access to *
        by self write
        by * read
In the slave I've put:
syncrepl rid=202
        provider=ldaps://ldap.example.com
        type=refreshOnly
        interval=00:01:00:00
        retry="60 10 300 +"
        filter="(objectClass=*)"
        scope=sub
        attrs="*"
        bindmethod=simple
        schemachecking=off
        searchbase="dc=example,dc=com"
        binddn="cn=syncuser,dc=example,dc=com"
        credentials=youdonthavetoknow
        tls_reqcert=never
updateref ldaps://ldap.example.com
Thanks in advance for your help and explanation.
Jacques Foucry

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Replication and user password change