Hey guys, I currently have a multi-master system setup with a back_ldap proxying frontend. We are using ppolicy and it is loaded fine and works on the two masters but I'm experiencing a little weirdness on the proxy side. It works fine but when I implemented password expirations the other day I keep seeing messages on the proxy like: ppolicy_bind: Setting warning for password expiry for .... = 0 seconds These entries should not be receiving any warning messages and I know my settings are correct because if I redirect to one of the masters the log output is what I expect. Also, if I run a perl script that uses password policy controls and look for time_before_expiration, the value is always 0 on the proxy while it is not even set if pwdExpireWarning is not met or a sane value if it is on the masters.
After reading slapo-ppolicy it looks like maybe I should be setting olcPPolicyForwardUpdates to TRUE (?) and set a olcupdateRef in olcDatabase={1}ldap,cn=config to both masters but it spits at me every time I try it. It also says a chain overlay should be set as well but when I read slapo-chain its says: "It is useless in conjunction with the slapd-ldap and slapd-meta backends because they already exploit the libldap specific referral chase feature." If I remove ppolicy overlay I don't see any of the values.
I need the proxy to be able to see these attributes (as in those making queries to it) and not hammer my logs with incorrect messages. Is it possible to make this work, am I doing some wrong?
Thanks for any help, Tyler