<quote who="Tony Earnshaw"> > Gavin Henry skrev, on 06-12-2007 23:13: > >>> My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I >>> have a problem with chaining referrals from the 3 slaves to the master. >>> I followed the slapo-chain man page and chaining works: >>> >>> moduleload back_ldap.la >>> >>> overlay chain >>> >>> chain-uri "ldaps://mercurius.intern" >>> chain-idassert-bind bindmethod="simple" >>> binddn="cn=proxy,dc=barlaeus,dc=nl" >>> credentials="secret" >>> chain-return-error true >>> >>> cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on >>> the master. >>> >>> The rootdn is not able to update passwords. I have no idea why the >>> rootdn shouldn't be able to update passwords (PASSMOD). However, it >>> seems to me that the chaining from the slave should be carried out as >>> the actual user and not rootdn. I can find nothing in slapo-chain or >>> slapd-ldap that lists this possibility. >>> >>> Can anyone here help with this? >>> >> >> What are you logs/-d saying? > > It's been a while since and up to now I've only had logs going back 5 > days (I've increased this to 21 days now, but that doesn't help here). > > Basically, the rootdn bound, issued a PASSMOD instruction for > userPassword and got a reply tag=103 error=0; it then did a MOD > instruction for shadowLastChange and got the same. userPassword wasn't > changed, but shadowLastChange was. > > By having the slave server connect directly to the provider instead of > using the consumer's chain function, all happens as expected, so that's > the workaround at the present- but it's far from optimal.
The slave connect directly to the provider? What does that mean? Surely the slave issues a referral and the client follows it? > > Best, > > --Tonni > > -- > Tony Earnshaw > Email: tonni at hetnet dot nl >