On Tue, Jul 16, 2024 at 05:58:44AM -0700, Christopher Paul wrote:
Hi OpenLDAP-Technical,
Thank you, OpenLDAP Project Team for slapo-remoteauth. It is much simpler to set up compared to SASL.
I have one comment relating to using "remoteauth_store on" and the possibility of being able to handle upstream password changes.
According to the manual, and confirmed by testing, slapo-remoteauth is only engaged when the userPassword value is not present. In order for upstream AD password changes to propagate when using "remoteauth_store on", it would seem to be very useful to also engage the overlay when the userPassword value is present and a simple BIND fails with err=49.
Hi Chris, this option is meant to be used when migrating away from the other source, not password replication. You might have some luck using slapo-pcache instead for this kind of thing?
Regards,