Hi list,
I have noticed a problem regarding ExOp PASSMOD and chaining in my OpenLDAP environment. Maybe some of the other overlays are doing their part in this as well.
Password changes stopped behaving weird at some point and after some experimenting, I have the following picture: When a slave runs for a few days and some user tries to change his password, the change is done in the local database only (no chaining done or referral returned), resulting in an inconsistent database between the slave and all the other servers. That way, logging in to services which connect to the LDAP servers in a round-robin fashion sometimes works with the "new" password and sometimes with the old one. After I restart the slapd on the slaves, everything works again for a few days, before it goes bad again.
Every other write gets chained just fine when a slave is in this condition. It's only the PASSMOD operations that are stuck.
I have one master and four slaves running on Solaris 10. One of them SPARC, the others x86.
Software Versions are:
OpenLDAP 2.4.21 BDB 4.8.26 Cyrus SASL 2.1.23 Heimdal Kerberos 1.3.3
All the configs and the sourcecode of my self-made pwdCheckModule for ppolicy can be found here:
http://www.informatik.uni-bremen.de/~moenoel/ldap/
Has someone experienced this before and knows how to fix this? Maybe something wrong with my ppolicy stuff?
Regards, Christian Manal
Christian Manal wrote:
Hi list,
I have noticed a problem regarding ExOp PASSMOD and chaining in my OpenLDAP environment. Maybe some of the other overlays are doing their part in this as well.
Password changes stopped behaving weird at some point and after some experimenting, I have the following picture: When a slave runs for a few days and some user tries to change his password, the change is done in the local database only (no chaining done or referral returned), resulting in an inconsistent database between the slave and all the other servers. That way, logging in to services which connect to the LDAP servers in a round-robin fashion sometimes works with the "new" password and sometimes with the old one. After I restart the slapd on the slaves, everything works again for a few days, before it goes bad again.
Every other write gets chained just fine when a slave is in this condition. It's only the PASSMOD operations that are stuck.
I think this is the same issue pointed out in http://www.openldap.org/lists/openldap-technical/201003/msg00019.html (I don't think there's an ITS associated). However, I could not find anything specific; it probably needs further investigation. I suggest you file an ITS; please reference the original thread as a possible similar occurrence of the issue.
p.
openldap-technical@openldap.org
-
Christian Manal -
Pierangelo Masarati