2013/10/15 Jacques Foucry <jacques.foucry@novasparks.com>
Hello list,

I created a VM to test ppolicy migration and replication.

On my master server some user (like mine) are "bind" to ppolicy:

I have a OU policies
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckmodule: mmc-check-password.so
pwdcheckquality: 0
pwdexpirewarning: 600
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 5
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 0
pwdmaxage: 7776000
pwdmaxfailure: 5
pwdminlength: 8
pwdmustchange: TRUE
pwdsafemodify: FALSE


And my user:

dn: cn=Jacques Foucry,ou=People,dc=example,dc=com
c: France
cn: Jacques Foucry
gidnumber: 1000
givenname: Jacques
homedirectory: /home/jfoucry
loginshell: /bin/zsh
mail: jacques.foucry@example.com
objectclass: inetOrgPerson
objectclass: mozillaAbPersonAlpha
objectclass: sambaSamAccount
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
objectclass: pwdPolicy
ou: RT_Users
postalcode: 75009
pwdattribute: userPassword
sambaacctflags: [U]
shadowlastchange: 15987
shadowmax: 120
shadowmin: 7
shadowwarning: 7
sn: Foucry
uid: jfoucry
uidnumber: 1010
userpassword: --password--

On the replica mv. I created a slapd.conf file (I cannot understand the "new" syntax).

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/mozillaAbPersonAlpha.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/pureftpd.schema
include         /etc/ldap/schema/ppolicy.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel config sync
modulepath      /usr/lib/ldap
moduleload      back_hdb

database hdb
suffix  "dc=example,dc=com"
rootdn  "cn=admin,dc=example,dc=com"
rootpw  {SSHA}--password--

directory /var/lib/ldap

referral ldaps://192.168.72.13
syncrepl rid=020
        provider=ldaps://192.168.72.13
        type=refreshOnly
        interval=00:08:00:00
        retry="60 10 300 +"
        filter="(objectClass=*)"
        scope=sub
        attrs="*"
        bindmethod=simple
        schemachecking=off
        searchbase="dc=exmaple,dc=com"
        binddn="cn=syncuser,dc=exmaple,dc=com"
        credentials=--password--
        tls_reqcert=never



When I start slapd on the slave vm, It sound correct but only few off my user records are sync. For example mine is not.

One the master:

# ldapsearch -x -b"ou=people,dc=example,dc=com" uid=jfoucry
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: uid=jfoucry
# requesting: ALL
#

# Jacques Foucry, People, example.com
dn: cn=Jacques Foucry,ou=People,dc=example,dc=com
c: France
cn: Jacques Foucry
mail: jacques.foucry@example.com
gidNumber: 1000
givenName: Jacques
homeDirectory: /home/jfoucry
loginShell: /bin/zsh
ou: RT_Users
postalCode: 75009
shadowMax: 120
shadowMin: 7
shadowWarning: 7
sn: Foucry
uidNumber: 1010
uid: jfoucry
objectClass: inetOrgPerson
objectClass: mozillaAbPersonAlpha
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: pwdPolicy
pwdAttribute: userPassword
shadowLastChange: 15987

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

On the slave:

ldapsearch -x -b"ou=people,dc=exmaple,dc=com" uid=jfoucry
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: uid=jfoucry
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


I can't figure what's wrong. Why some records are sync and other are not? Is it because of ppolicy?

Thanks in advance for your help,


Hi,

some remarks:

- do not use pwdPolicy objectClass in a user entry. pwdPolicy is designed to create configuration objects, like you do with cn=default,ou=policies,dc=example,dc=com

- you seem to mix UNIX password policy (shadow* attributes) and LDAP password policy. This might not work as you expect

- have configured a syncprov overlay on your master?



Clément.