2013/10/15 Jacques Foucry jacques.foucry@novasparks.com
Hello list,
I created a VM to test ppolicy migration and replication.
On my master server some user (like mine) are "bind" to ppolicy:
I have a OU policies dn: cn=default,ou=policies,dc=**example,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy objectclass: pwdPolicyChecker pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckmodule: mmc-check-password.so pwdcheckquality: 0 pwdexpirewarning: 600 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 5 pwdinhistory: 5 pwdlockout: TRUE pwdlockoutduration: 0 pwdmaxage: 7776000 pwdmaxfailure: 5 pwdminlength: 8 pwdmustchange: TRUE pwdsafemodify: FALSE
And my user:
dn: cn=Jacques Foucry,ou=People,dc=example,**dc=com c: France cn: Jacques Foucry gidnumber: 1000 givenname: Jacques homedirectory: /home/jfoucry loginshell: /bin/zsh mail: jacques.foucry@example.com objectclass: inetOrgPerson objectclass: mozillaAbPersonAlpha objectclass: sambaSamAccount objectclass: posixAccount objectclass: top objectclass: shadowAccount objectclass: pwdPolicy ou: RT_Users postalcode: 75009 pwdattribute: userPassword sambaacctflags: [U] shadowlastchange: 15987 shadowmax: 120 shadowmin: 7 shadowwarning: 7 sn: Foucry uid: jfoucry uidnumber: 1010 userpassword: --password--
On the replica mv. I created a slapd.conf file (I cannot understand the "new" syntax).
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/**inetorgperson.schema include /etc/ldap/schema/**mozillaAbPersonAlpha.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/pureftpd.**schema include /etc/ldap/schema/ppolicy.**schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel config sync modulepath /usr/lib/ldap moduleload back_hdb
database hdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}--password--
directory /var/lib/ldap
referral ldaps://192.168.72.13 syncrepl rid=020 provider=ldaps://192.168.72.13 type=refreshOnly interval=00:08:00:00 retry="60 10 300 +" filter="(objectClass=*)" scope=sub attrs="*" bindmethod=simple schemachecking=off searchbase="dc=exmaple,dc=com" binddn="cn=syncuser,dc=**exmaple,dc=com" credentials=--password-- tls_reqcert=never
When I start slapd on the slave vm, It sound correct but only few off my user records are sync. For example mine is not.
One the master:
# ldapsearch -x -b"ou=people,dc=example,dc=**com" uid=jfoucry # extended LDIF # # LDAPv3 # base <ou=people,dc=example,dc=com> with scope subtree # filter: uid=jfoucry # requesting: ALL #
# Jacques Foucry, People, example.com dn: cn=Jacques Foucry,ou=People,dc=example,**dc=com c: France cn: Jacques Foucry mail: jacques.foucry@example.com gidNumber: 1000 givenName: Jacques homeDirectory: /home/jfoucry loginShell: /bin/zsh ou: RT_Users postalCode: 75009 shadowMax: 120 shadowMin: 7 shadowWarning: 7 sn: Foucry uidNumber: 1010 uid: jfoucry objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha objectClass: sambaSamAccount objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: pwdPolicy pwdAttribute: userPassword shadowLastChange: 15987
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
On the slave:
ldapsearch -x -b"ou=people,dc=exmaple,dc=**com" uid=jfoucry # extended LDIF # # LDAPv3 # base <ou=people,dc=example,dc=com> with scope subtree # filter: uid=jfoucry # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
I can't figure what's wrong. Why some records are sync and other are not? Is it because of ppolicy?
Thanks in advance for your help,
Hi,
some remarks:
- do not use pwdPolicy objectClass in a user entry. pwdPolicy is designed to create configuration objects, like you do with cn=default,ou=policies,dc=example,dc=com
- you seem to mix UNIX password policy (shadow* attributes) and LDAP password policy. This might not work as you expect
- have configured a syncprov overlay on your master?
Clément.