On 04/22/2010 12:26 PM, masarati@aero.polimi.it wrote:
On 04/22/2010 11:38 AM, masarati@aero.polimi.it wrote:
Hey guys,
Hi. What version? Also, I's not clear (to me) whether you're configuring slapo-ppolicy also on the proxy. If this is the case, I think you're not doing the right thing.
2.4.18 I have ppolicy setup on both masters as well as the proxy (as an overlay to back_ldap) because it was the only way I could see the values from the masters when queries where made to proxy (which I need to be able to do).
Not sure what you mean by "see"; do you mean they be returned in search requests? This, from a proxy standpoint, should not be an issue, as they are treated much like any other attribute. Did you load ppolicy.schema on the proxy server? Do ACLs allow to return them? Are you explicitly requesting operational attributes?
By 'see' I do mean search requests directed at the proxy. If the ACL's are fine when searching on the masters then it should be fine on the proxy, right (proxy relies on the masters for ACL's)?
It depends on how you configure things, that's why I'm asking. If the proxy has no ACLs, then anything the remote host returns is passed to the client. Otherwise, the proxy performs its own checking (which, obviously, can only further restrict). I'm asking because you are hiding essential information on how your system is configured, and that doesn't help helping.
The schema is loading and yes I am requesting operational attributes
How are you requesting operational attributes? Did you add '+' to the requested attrs?
but this is through phpldapamin's "show internal attributes" button. Maybe I'll try through ldapsearch tool next time I am ready to try a few more things.
Yes, I was assuming (since you didn't tell) that you were using ldapsearch. Please make sure what's being requested (by looking at both the proxy and the remote host's logs. Check, don't assume.
I've noticed the following in the logs though which confuses me even more:
PROXIED attributeDescription "PWDHISTORY" inserted. PROXIED attributeDescription "PWDPOLICYSUBENTRY" inserted. PROXIED attributeDescription "PWDCHANGEDTIME" inserted. PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
This is a clear indication the schema is ***not*** loaded. That's why I asked. The ppolicy schema is loaded by default when slapo-ppolicy is built statically in slapd. Otherwise you need to either load ppolicy.schema, or load the ppolicy.la module. In any case, the schema must be present also on the proxy, even though the proxy does not need to have the overlay instantiated. It would be waaaaaay easier if you posted your remote host & proxy configuration, and detailed how OpenLDAP was built (namely, static or dynamic modules).
p.