I have a master-slave configuration, sync'ed with syncrepl.  Most of my LDAP clients connect directly to the slave servers.  Some of my client can handle referrals, but others cannot.  For this reason, I use the 'chain' overlay.

The configuration works fine when I have 'pam_password clear' in my clients' ldap.conf.  But with 'pam_password md5', the clients are not sending the control messaging for ppolicy.  This seems to be a pam_ldap issue, but I cannot seem to track it down and correct it.

It has been suggested that I use the 'pam_password exop' option on the clients as a work-around for the pam_ldap issue.  Doing this, I get hashed passwords, as well as correct ppolicy control messaging, and everything works fine doing this in my other (lab) scenario where I am not required to use chaining.  BUT, in my chaining config, when the user makes a password change, instead of the user's password being changed, the chain's bind password is changed. NOTE: I do not employ SASL.

Is this configuration supported?  Anyone know why the chain's bind password would be getting changed, instead of the user's?

Thanks, Joe _________________________________________________________________ Windows Live Hotmail gives you a free,exclusive gift. http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?oc...