PAM EXOP causes chain bind password to change - openldap-technical

1 Dec 2009


      I am having an issue with my 'chain' bind password getting changed instead of the user's password.
In a Red Hat Linux environment, running OpenLDAP 2.3.43(-3.el5 RPM from RH), I am using a master-slave setup, with chaining (as opposed to referral) as a method to allow users to change passwords (most LDAP clients hit the slave). Because I have some other issues when I set (nss_ldap) 'pam_password md5'in ldap.conf, I tried setting it to 'pam_password exop' instead.  But, with this setting, when a user attempts a password change from one of the Linux clients, the ldap chain BIND password is changed on the master, instead of the user's password.
In my slave slapd.conf, I have:
####################################################################
# Chain to Master for updates
overlay                 chain
   chain-uri               "ldap://10.10.1.191"
   chain-idassert-bind bindmethod="simple"
   binddn="cn=ldapChain,o=myorg,dc=myco,dc=net"
   credentials="ldapChain"
   mode="none"
   #                       mode="self"
   chain-max-depth         2
   chain-return-error      TRUE
   chain-rebind-as-user    TRUE
#######################################################################
# To sync with the LDAP Master database using syncrepl
syncrepl        rid=222
                   type=refreshAndPersist
                   provider=ldap://10.10.1.191
                   retry="30 10 300 3"
                   searchbase="dc=myco,dc=net"
                   filter="(objectClass=*)"
                   scope=sub
                   schemachecking=off
                   bindmethod=simple
                   binddn="cn=syncRepl,o=myorg,dc=myco,dc=net"
                   credentials="syncRepl"
updateref       ldap://10.10.1.191
####################################################################
SO, for example, when some user, say 'userbob' issues a 'passwd' and attempts to change his password from a Linux LDAP client (configured to hit the slave LDAP server), the password for "cn=ldapChain,o=myorg,dc=myco,dc=net" instead gets changed.  The users password does not get changed.
Anyone know what I could possibly have mis-configured that would cause this?
Thanks in advance,
Joe
_________________________________________________________________
Chat with Messenger straight from your Hotmail inbox.
http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?oc...