replication breaks ppolicy

Good morning all

After quite a bit of work, I got replication working (thank you all).

So I forged ahead and deployed the server in our RHEL 5.5 environment. But now I just realized that none of my ppolicy rules work. Also, the Redhat clients are configured to use MD5 hash. When I look at the accounts in webmin, it shows it being crypt????? I know openldap likes salted SHA, but I thought I'd do what Redhat wanted, which was MD5.

Password history, aging etc... A search used to show me all of my ppolicy objects.

ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default

But now returns nothing. Users can reuse passwords, so no history or aging is working. No locking. I had to change ACL's on the provider and consumer to get the replication working. Would that cause the problem?

Here is my policy LDIF file I added to the server:

# policies, chin.com dn: ou=policies,dc=chin,dc=ca objectClass: organizationalUnit objectClass: top ou: policies

# default, policies, chin.com dn: cn=default,ou=policies,dc=chin,dc=ca objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE pwdMaxAge: 10368000 pwdExpireWarning: 1209600 pwdMinAge: 86400

Provider: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema

include /etc/openldap/schema/ppolicy.schema

### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema

# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred

# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args

# note, enabling debbuging info really slows the beast down #loglevel 128 loglevel 256 #loglevel conns filter

logfile /var/log/slapd.log

# Load dynamic backend modules using this path!!! modulepath /usr/lib/openldap

moduleload ppolicy.la moduleload accesslog.la

# modules available in openldap-servers-sql RPM package: # moduleload back_sql.la

#################################################################

schemacheck on lastmod on

access to attrs=userPassword by self write by anonymous auth by * none

######################################## ### ACL for syncrepl. ########################################

#access to attrs=userPassword # by self write #by uid=replicator,ou=people,dc=chin,dc=ca read # by anonymous auth # by * none

access to attrs=userPassword,shadowLastChange by dn="dc=admin,dc=chin,dc=ca" write by anonymous auth

access to * by dn="dc=admin,dc=chin,dc=ca" write by * read

#access to attrs=shadowLastChange # by self write # by * read

access to * by * read

#### WIDE OPEN - For testing only ##NOPE access to * by * write access to * by * read # ------------------------------------------------------------------- # # Access log database instance for replication # ------------------------------------------------------------------- #

# Accesslog database definitions database bdb suffix cn=accesslog directory /var/lib/db/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE

# ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- #

database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin, dc=chin,dc=ca"

# rootpw rootpw {SSHA}TCYoUVYYYXXXXXbQsitJ3V7zo+c887NC

directory /var/lib/ldap

index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq

# define the default policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca" ppolicy_use_lockout

# syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00

# Let the replica DN have limitless searches limits dn.exact="uid=replicator,ou=People,dc=chin,dc=ca" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

Consumer:

# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/ppolicy.schema

### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema

# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred

pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args

loglevel 256 logfile /var/log/slapd.log

modulepath /usr/lib/openldap

# ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- #

database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin,dc=chin,dc=ca"

directory /var/lib/ldap

moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca" ppolicy_use_lockout

# ------------------------------------------------------------------- # # Replica configuration instance # ------------------------------------------------------------------- #

# syncrepl specific indices index entryUUID eq uniqueMember index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN eq

# syncrepl directives syncrepl rid=0 provider=ldap://ldap bindmethod=simple binddn="uid=replicator,ou=people,dc=chin,dc=ca" #binddn="cn=admin,dc=chin,dc=ca" credentials=xxxxx searchbase="dc=chin,dc=ca" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=off type=refreshAndPersist retry="60 +" syncdata=accesslog

# Refer updates to the master updateref ldap://ldap

Any suggestions would be dandy and much appreciated. I'm new to LDAP, as you can tell.

Thanks