Dear sir,
I found that the account policy can't be replicated in openldap 2.4.8
I setup 2 servers, with Mirror mode. Then, I added the password policy and some user accounts in server 1, I then startup server 2, the user accounts are replicated to server 2.
Content of policy.ldif : dn: ou=Policies ou: Policies description: All people in organisation objectClass: organizationalUnit
dn: ou=Policies,o=HKSARG ou: Policies description: All people in organisation objectClass: organizationalUnit
dn: cn=default,ou=Policies,o=HKSARG objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxFailure: 3 pwdInHistory: 12 pwdMinLength: 6 pwdExpireWarning: 259200 pwdAllowUserChange: TRUE pwdFailureCountInterval: 300 pwdGraceAuthNLimit: 1 pwdLockoutDuration: 300 pwdMustChange: FALSE pwdCheckQuality: 1 pwdMaxAge: 60000000
slapd.conf in server 1 :
#overlay syncprov overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" overlay syncprov
#access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read #database monitor syncprov-checkpoint 100 10 syncprov-sessionlog 100
# syncrepl directives syncrepl rid=1 provider=ldap://202.245.193.128:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +"
syncrepl rid=2 provider=ldap://10.166.23.218:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +"
mirrormode on serverID 1
slapd.conf in server 2 :
# Password policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG"
overlay syncprov #access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read
#database monitor syncprov-checkpoint 100 10 syncprov-sessionlog 100
# syncrepl directives syncrepl rid=1 provider=ldap://202.245.193.128:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +"
syncrepl rid=2 provider=ldap://10.166.23.218:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist retry="60 +"
mirrormode on serverID 2
I input the incorrect password 3 times in server 1 for a user, then, I find that the attribute pwdAccountLockedTime is updated in server 1, but I find that in server 2, this attribute is not replicated. As I result, when I input correct password in server 2, I still get authentication successful, but in server 1, authentication is failed.
Thanks
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
Paul Lee wrote:
Dear sir,
I found that the account policy can't be replicated in openldap 2.4.8
I setup 2 servers, with Mirror mode. Then, I added the password policy and some user accounts in server 1, I then startup server 2, the user accounts are replicated to server 2.
[snip]
mirrormode on serverID 1
slapd.conf in server 2 :
# Password policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG"
overlay syncprov #access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read
Are these your only ACLs?
What do your logs indicate?
Yes,
this is my own ACL and the logs doesn't show any error..
Gavin Henry wrote:
Paul Lee wrote:
Dear sir,
I found that the account policy can't be replicated in openldap 2.4.8
I setup 2 servers, with Mirror mode. Then, I added the password policy and some user accounts in server 1, I then startup server 2, the user accounts are replicated to server 2.
[snip]
mirrormode on serverID 1
slapd.conf in server 2 :
# Password policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG"
overlay syncprov #access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read
Are these your only ACLs?
What do your logs indicate?
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
I have created the lastlogintime attribute and lastfailurelogintime attribute (user defined attribute).
For each time I input the wrong password, I will also update the lastfailurelogintime attribute, then, after 3 failure attempt (I set 3 times login failure attempt in password policy), the attribute pwdAccountLockedTime will then be replicated.
It's strange.....
Gavin Henry wrote:
Paul Lee wrote:
Dear sir,
I found that the account policy can't be replicated in openldap 2.4.8
I setup 2 servers, with Mirror mode. Then, I added the password policy and some user accounts in server 1, I then startup server 2, the user accounts are replicated to server 2.
[snip]
mirrormode on serverID 1
slapd.conf in server 2 :
# Password policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG"
overlay syncprov #access to * by dn="cn=Manager" write by * read access to * by * write access to * by * read
Are these your only ACLs?
What do your logs indicate?
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
Paul Lee wrote:
I have created the lastlogintime attribute and lastfailurelogintime attribute (user defined attribute).
For each time I input the wrong password, I will also update the lastfailurelogintime attribute, then, after 3 failure attempt (I set 3 times login failure attempt in password policy), the attribute pwdAccountLockedTime will then be replicated.
It's strange.....
Most of the ppolicy attributes are operational, and since you never specified a "attrs" in yoru syncrepl config, the default is used, which is:
The attrs list defaults to "*,+" to return all user and operational attributes.
I did notice in ppolicy.c in HEAD:
1120 | | /* FIXME: Need to handle replication of some (but not all) 1121 | | * of the operational attributes... 1122 | | */
So it may be the case that you can't replicate them all yet...
Gavin.
openldap-technical@openldap.org
-
Gavin Henry -
Paul Lee