On Apr 22, 2010, at 4:54 PM, masarati@aero.polimi.it wrote:
I've noticed the following in the logs though which confuses me even more:
PROXIED attributeDescription "PWDHISTORY" inserted. PROXIED attributeDescription "PWDPOLICYSUBENTRY" inserted. PROXIED attributeDescription "PWDCHANGEDTIME" inserted. PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
This is a clear indication the schema is ***not*** loaded. That's why I asked. The ppolicy schema is loaded by default when slapo-ppolicy is built statically in slapd. Otherwise you need to either load ppolicy.schema, or load the ppolicy.la module. In any case, the schema must be present also on the proxy, even though the proxy does not need to have the overlay instantiated. It would be waaaaaay easier if you posted your remote host & proxy configuration, and detailed how OpenLDAP was built (namely, static or dynamic modules).
p.
I failed to mention the above messages where after I removed ppolicy. I'm using third party rpms from Buchan, it is built dynamic modules: #####################################################3 Name : openldap2.4-servers Relocations: (not relocatable) Version : 2.4.18 Vendor: TelkomInternet Release : 1.rhel5 Build Date: Fri 18 Sep 2009 05:43:56 AM EDT Install Date: Mon 21 Sep 2009 05:47:01 PM EDT Build Host: build.telkomsa.net Group : System/Servers Source RPM: openldap2.4-2.4.18-1.rhel5.src.rpm Size : 4774420 License: Artistic Signature : DSA/SHA1, Fri 18 Sep 2009 05:52:27 AM EDT, Key ID ac92ba5060d204a7 Packager : Buchan Milne bgmilne@staff.telkomsa.net URL : http://www.openldap.org Summary : OpenLDAP servers and related files Description : OpenLDAP Servers
This package contains the OpenLDAP server, slapd (LDAP server), additional backends, configuration files, schema definitions required for operation, and database maintenance tools
This server package was compiled with support for the berkeley database library. ########################################################### Below are my configs (database config was added so I could convert over to cn=config which I can assure has not changed since I converted it):
PROXY:
include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema include /usr/share/openldap2.4/schema/samba.schema include /usr/share/openldap2.4/schema/kolab.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/calendar.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/dnszone.schema include /usr/share/openldap2.4/schema/dhcp.schema include /usr/share/openldap2.4/schema/ppolicy.schema
I see. What I note is that some of the schema elements are only defined by the overlay itself, they are not specified in the schema file. This makes sense, because they are operational, and slapd does not allow to specify operational attributes in the configuration. For this purpose, you need to
moduleload ppolicy.la
in your proxy configuration, *without* configuring the ppolicy overlay on the proxy database. This should make all attributes related to ppolicy known to the proxy. Does this solve all your issue, or is there anything left? I mean, apart from the fix to ITS#6530, that allows to proxy control responses on successful binds.
p.
Yes! Your solution of loading the module but not configuring it on the proxy solved the false alarms on the proxy and did allow searches for the attributes to be recognized. My only problem now as you pointed out is in the ITS where password policy controls are not being sent back to the proxy.
Thanks for you help :)