ppolicy_forward_updates - operation is restricted

15 May 2025

      Good morning,
I'm trying to configure ppolicy_forward_updates to master from slaves on
Symas OpenLDAP 2.6.9, so that both successful authentications (ppolicy
attribute pwdLastSuccess) and failed authentications (ppolicy
attribute pwdFailureTime) get forwarded and written on the master.
Following some documentation [1] [2] I have configured on the slave:
* chain overlay in order to define how to connect to master (credentials,
tls, etc)
* updateref (after syncrepl section), in order to define where to send
updates
* ppolicy_forward_updates, in order to define that ppolicy operations must
be forwarded.
I have also configured lastbind overlay to define desired precision to save
pwdLastSuccess, and this is working perfectly on the master server.
Both attributes (pwdLastSuccess and pwdFailureTime) are respectively being
updated flawlessly when binding to the master server.
Syncrepl between master and slave is also working properly, so that they
both get replicated to the slave.
But when binding to the slave, the "ppolicy forward updates" functionality
is not working and I can not find out why.
I have looked at the usual suspects, as ACL permissions on master,
connectivity, etc.
But after some debugging I don't see the slave trying to connect to the
master (using tcpdump on the slave I can not see any traffic), so I have
discarded any problems on the master itself (ACL), and I am guessing that
the problem is on the slave part.
When trying to further debug the problem, I can see on the slave server:
* On *successful* auths, when trying to write pwdLastSuccess:
slapd[320250]: send_ldap_result: err=53 matched="" text="operation
restricted"
slapd[320250]: conn=1002 op=0 ppolicy_bind_response: ppolicy state change
failed with rc=53 text=operation restricted
slapd[320250]: conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000005
etime=0.000335 text=
slapd[320250]: connection_get(23)
* On *failed* auths, when trying to write pwdFailureTime:
slapd[320250]: send_ldap_result: err=49 matched="" text=""
slapd[320250]: => mdb_entry_get: ndn: "<<userdn_redacted>>"
slapd[320250]: => mdb_entry_get: oc: "(null)", at: "(null)"
slapd[320250]: => mdb_entry_get: found entry: "<<userdn_redacted>>"
slapd[320250]: send_ldap_result: err=53 matched="" text="operation
restricted"
slapd[320250]: conn=1003 op=0 ppolicy_bind_response: ppolicy state change
failed with rc=53 text=operation restricted
slapd[320250]: conn=1003 op=0 RESULT tag=97 err=49 qtime=0.000013
etime=0.000601 text=
slapd[320250]: connection_get(23)
slapd[320250]: conn=1003 op=1 UNBIND
slapd[320250]: conn=1003 fd=23 close
And I am not able to get more detailed information to find out why this
operation is restricted.
"ppolicy_bind_response" messages makes me suppose that it is indeed trying
to bind somewhere, but I am not seeing any connection trying to be made
outside the slave server.
Is there some way to check where it is trying to bind?
I don't know where else to look in order to find out what 's wrong.
Anyone have any tips?
Thank you so much for your help.
[1]
https://kb.symas.com/en_US/configuration/configuring-ppolicy-for-openldap-25
[2]  https://kb.symas.com/en_US/configuration/referrals-and-chaining)
------------------------------
*Oscar Remírez de Ganuza Satrústegui*
Technology and IT Operations
IT Services
T: +34 948425600 x803130
oscarrdg@unav.es
------------------------------
[image: Universidad de Navarra] http://www.unav.edu/
-- 

*Este mensaje puede contener información confidencial. Si usted no es el 
destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas 
y comuníquelo a la mayor brevedad al remitente. Los datos personales 
incluidos en los correos electrónicos que intercambie con el personal de la 
Universidad de Navarra podrán ser almacenados en la libreta de direcciones 
de su interlocutor y/o en los servidores de la Universidad durante el 
tiempo fijado en su política interna de conservación de información. La 
Universidad de Navarra gestiona dichos datos con fines meramente 
operativos, para permitir el contacto por email entre sus 
trabajadores/colaboradores y terceros. Puede consultar la Política de 
Privacidad de la Universidad de Navarra en la dirección: 
**https://www.unav.edu/aviso-legal* https://www.unav.edu/aviso-legal****

** **

*This email message may contain confidential information. If you are 
not the intended recipient of this message or their agent, or if this 
message has been addressed to you in error, please immediately alert the 
sender by reply email and then delete this message and any attachments.  
The personal information included in email messages exchanged with 
employees of the University of Navarra may be stored in the database of 
your interlocutor and/or the servers of the University for the time-period 
stipulated by its internal information storage policy. The University 
stores such data for purely administrative purposes, to facilitate e-mail 
contact between its employees and third parties. The University of Navarra 
Privacy Policy may be accessed at https://www.unav.edu/aviso-legal 
https://www.unav.edu/aviso-legal      *****

** **

_Antes de imprimir 
este mensaje o sus documentos anexos, asegúrese de que es necesario. 
Proteger el medio ambiente está en nuestras manos.
Before printing this 
e-mail or attachments, be sure it is necessary. _It is in our hands to 
protect the environment.__

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

ppolicy_forward_updates - operation is restricted