Hi, here are the configs:
Thanks!
MASTER:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/openldap-2.4.11/etc/openldap/schema/core.schema include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /opt/openldap-2.4.11/var/run/slapd.pid argsfile /opt/openldap-2.4.11/var/run/slapd.args allow bind_v2 password-hash {MD5} database monitor
# TLS configuration TLSCipherSuite HIGH:MEDIUM:TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt TLSCertificateFile /etc/openldap/ldap1.crt TLSCertificateKeyFile /etc/openldap/ldap1.key
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=empresa,dc=com" rootdn "cn=root,dc=empresa,dc=com" rootpw {SSHA}password # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/openldap-2.4.11/var/openldap-data # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Database access list access to attrs=userPassword by self write by anonymous auth
access to attrs=shadowLastChange by self write by * read
access to * by * read
# Replication overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# Password policies overlay ppolicy ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
# Access Logging overlay accesslog logdb cn=log logops bind logsuccess TRUE
# Access DB database bdb suffix "cn=log" directory /opt/openldap-2.4.11/var/openldap-accesslog rootdn "cn=log" index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres
# Syncrepl overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
SLAVE:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/openldap-2.4.11/etc/openldap/schema/core.schema include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /opt/openldap-2.4.11/var/run/slapd.pid argsfile /opt/openldap-2.4.11/var/run/slapd.args allow bind_v2 password-hash {MD5} database monitor
# TLS configuration TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt TLSCertificateFile /etc/openldap/ldap2.crt TLSCertificateKeyFile /etc/openldap/ldap2.key
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=empresa,dc=com" rootdn "cn=root,dc=empresa,dc=com" rootpw {SSHA}password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/openldap-2.4.11/var/openldap-data
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Database Access list
access to * attrs=userPassword by self write by anonymous auth
access to * attrs=shadowLastChange by self write by * read
access to * by * read
# Replication # Transparently proxy updates to master overlay chain chain-uri "ldap://ldap1.empresa.com" chain-idassert-bind bindmethod="simple" binddn="cn=root,dc=empresa,dc=com" credentials="password" mode="self" chain-tls start chain-return-error TRUE
# Replication agent syncrepl rid=123 provider=ldaps://ldap1.empresa.com type=refreshOnly interval=00:00:01:00 searchbase="dc=empresa,dc=com" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=on retry="60 10 300 3" bindmethod=simple binddn="cn=root,dc=empresa,dc=com" credentials=password
# Refer updates to master updateref ldap://ldap1.empresa.com/
# Password policies overlay ppolicy ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
# Access Logging overlay accesslog logdb cn=log logops bind logsuccess TRUE
# Access DB database bdb suffix "cn=log" directory /opt/openldap-2.4.11/var/openldap-accesslog rootdn "cn=log" index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres
syncrepl rid=124 provider=ldaps://ldap1.empresa.com bindmethod=simple binddn="cn=root,dc=empresa,dc=com" credentials=password type=refreshOnly interval=00:00:01:00 filter="(objectClass=*)" retry="5 +" searchbase="cn=log" logbase="cn=log" syncdata=accesslog # type=refreshAndPersist # schemachecking=on
updateref ldap://ldap1.empresa.com/
----- Original Message ---- From: Gavin Henry ghenry@OpenLDAP.org To: Eyal Marantenboim eyalmdiveo@yahoo.com Cc: openldap-technical@openldap.org Sent: Monday, September 15, 2008 12:46:15 PM Subject: Re: pwd* Attributes and replication
Eyal Marantenboim wrote:
Hi,
We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy. When a user tries to bind with incorrect credential, the master server gets populated with pwdFailureTime attribute. After 4 times of entering wrong credentials, pwdAccountLockedTime is added to that user.
Our problem is that the secondary server (using syncrepl) is not replicating the pwd* values. I've noticed that neither entryCSN nor contextCSN are being updated (on the master) when pwdFailureTime is added to the user (I'm not sure if it should actually change). But, when we change any other attribute (userPassword, etc) on the master, that does change entryCSN, and all pwd* attributes do get updated in the seconday server.
appreciate your help. Thanks!
Config?
openldap-technical@openldap.org
-
Eyal Marantenboim