Consider the following password policy entry to disable password expiration.
dn: cn=noexpire,ou=policies,dc=umlott,dc=lott cn: noexpire objectClass: pwdPolicy objectClass: person objectClass: top sn: Password Policy pwdAttribute: UserPassword pwdMaxAge: 0 pwdLockout: FALSE description: Non-Expiring password policy for service accounts. ===============================================
The following LDIF attaches this policy to the 3 users below:
dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=bind,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=replicator,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
This all works well and good when setting up my first LDAP server, however when I setup another LDAP server in mirror mode to the first server the pwdPolicySubentry attribute doesn't carry over to the the second node and I start to see this in the slapd logs:
ppolicy_bind: Setting warning for password expiry for cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
What's interesting is that the other two accounts that have the noexpire policy attached carry over the pwdPolicySubentry attribute just fine to the second node.
Any insight would be greatly appreciated.
Mike
2012/5/7 Michael Starling mlstarling31@hotmail.com:
Consider the following password policy entry to disable password expiration.
dn: cn=noexpire,ou=policies,dc=umlott,dc=lott cn: noexpire objectClass: pwdPolicy objectClass: person objectClass: top sn: Password Policy pwdAttribute: UserPassword pwdMaxAge: 0 pwdLockout: FALSE description: Non-Expiring password policy for service accounts. ===============================================
The following LDIF attaches this policy to the 3 users below:
dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=bind,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=replicator,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
This all works well and good when setting up my first LDAP server, however when I setup another LDAP server in mirror mode to the first server the pwdPolicySubentry attribute doesn't carry over to the the second node and I start to see this in the slapd logs:
ppolicy_bind: Setting warning for password expiry for cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
What's interesting is that the other two accounts that have the noexpire policy attached carry over the pwdPolicySubentry attribute just fine to the second node.
Any insight would be greatly appreciated.
Could you give us the OpenLDAP version you are running? Then, can you check that operational attributes are well synchronized?
Clément.
Hi Clément. Thanks for your response.
I'm running openldap-2.4.23-20 on RHEL 6.2
Operational attributes are transferring over for all users sans the replicator user.
If I add the following LDIF manually to the node that doesn't have the pwdPolicySubentry attribute then it shows up on the second node but is deleted from the original node it appeared on.
dn: cn=replicator,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
Date: Tue, 8 May 2012 15:09:32 +0200 Subject: Re: pwdPolicySubentry & replication user From: clem.oudot@gmail.com To: mlstarling31@hotmail.com CC: openldap-technical@openldap.org
2012/5/7 Michael Starling mlstarling31@hotmail.com:
Consider the following password policy entry to disable password expiration.
dn: cn=noexpire,ou=policies,dc=umlott,dc=lott cn: noexpire objectClass: pwdPolicy objectClass: person objectClass: top sn: Password Policy pwdAttribute: UserPassword pwdMaxAge: 0 pwdLockout: FALSE description: Non-Expiring password policy for service accounts. ===============================================
The following LDIF attaches this policy to the 3 users below:
dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=bind,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=replicator,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
This all works well and good when setting up my first LDAP server, however when I setup another LDAP server in mirror mode to the first server the pwdPolicySubentry attribute doesn't carry over to the the second node and I start to see this in the slapd logs:
ppolicy_bind: Setting warning for password expiry for cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
What's interesting is that the other two accounts that have the noexpire policy attached carry over the pwdPolicySubentry attribute just fine to the second node.
Any insight would be greatly appreciated.
Could you give us the OpenLDAP version you are running? Then, can you check that operational attributes are well synchronized?
Clément.
2012/5/8 Michael Starling mlstarling31@hotmail.com:
Hi Clément. Thanks for your response.
I'm running openldap-2.4.23-20 on RHEL 6.2
As this version is quite old, you may try to use the latest (2.4.31) in order to see if this is a bug related to your version.
Clément.
Unfortunately I have no choice as this is the latest available in the RHEL tree and my company won't allow us to deviate and compile.
Mikw
Date: Tue, 8 May 2012 20:14:27 +0200 Subject: Re: pwdPolicySubentry & replication user From: clem.oudot@gmail.com To: mlstarling31@hotmail.com CC: openldap-technical@openldap.org
2012/5/8 Michael Starling mlstarling31@hotmail.com:
Hi Clément. Thanks for your response.
I'm running openldap-2.4.23-20 on RHEL 6.2
As this version is quite old, you may try to use the latest (2.4.31) in order to see if this is a bug related to your version.
Clément.
--On Tuesday, May 08, 2012 3:07 PM -0400 Michael Starling mlstarling31@hotmail.com wrote:
Unfortunately I have no choice as this is the latest available in the RHEL tree and my company won't allow us to deviate and compile.
Then you will need to take issues to RedHat since your company has an utterly broken policy.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Re: Take the issue to Redhat Easier said than done.
The policy is what it is but I didn't think it would do any harm to see if anyone has run into this issue.
Date: Tue, 8 May 2012 12:22:58 -0700 From: quanah@zimbra.com To: mlstarling31@hotmail.com CC: openldap-technical@openldap.org Subject: RE: pwdPolicySubentry & replication user
--On Tuesday, May 08, 2012 3:07 PM -0400 Michael Starling mlstarling31@hotmail.com wrote:
Unfortunately I have no choice as this is the latest available in the RHEL tree and my company won't allow us to deviate and compile.
Then you will need to take issues to RedHat since your company has an utterly broken policy.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Clément OUDOT -
Michael Starling -
Quanah Gibson-Mount