Hi,
I have a configuration with a Master and 4 Slave. Provider and Consumer are identical
CentOS release 6.5
rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64
and all are configured with olc. All applications that use OpenLDAP for their login are configured to do queries on slave and this creates problems with some options of Ppolicy, Let me explain. I have configured the option that after a user wrong your password 5 times, it is locked. and here lies the problem, because the slave database is read-only and then the block is not reported to the Master and the user does not lock !!! I read that you could do something using the Chain Overlay but I found little documentation and everything I tried did not work. Anyone have any ideas to suggest ?? Thanks
Best Regards
Ing. Stefano Elmopi Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio Via Ostiense 131/L Corpo B, 00154 Roma
cell. 3466147165 tel. 0657060500
email:stefano.elmopi@sociale.it
--On November 7, 2014 at 10:25:59 AM +0100 "Elmopi, Stefano" stefano.elmopi@sociale.it wrote:
and all are configured with olc.
All applications that use OpenLDAP for their login are configured to do queries on slave and this creates problems with some options of Ppolicy, Let me explain. I have configured the option that after a user wrong your password 5 times, it is locked. and here lies the problem, because the slave database is read-only and then the block is not reported to the Master and the user does not lock !!! I read that you could do something using the Chain Overlay but I found little documentation and everything I tried did not work. Anyone have any ideas to suggest ?? Thanks
Several.
a) Get a current version of OpenLDAP, and stop using the broken builds shipped by RHEL b) Read the current man page for slapo-ppolicy, particularly the olcPPolicyForwardUpdates parameter
--Quanah
openldap-technical@openldap.org