Hello! I've been experiencing some issues with ppolicy overlay and chaining. I've implemented a simple openldap master and consumer architecture.This implementation works fine. I have data from the master, replicated into the slave, and all writes sent to the slave (add/edit ous and users), are forwarded to the master.
I've now added to this architecture ppolicy overlay (with olcPPolicyForwardUpdates set to TRUE). When the slave receives a logon failure, it should forward this to the master, so ppolicy overlay can set pwdFailuretime and pwdAccountLockedTime. This is not happening. Neither master nor slave, are setting pwdFailuretime or pwdAccountLockedTime. When debugging the slave, I get the following messages: 541875a7 conn=1010 op=0 BIND dn="cn=Lisa Hayes,ou=Quality,dc=example,dc=com" method=128 541875a7 conn=1010 op=0 ldap_back_retry: retrying URI="ldap://ldapmaster.com"; DN="cn=syncrepluser,ou=security,dc=example,dc=com" 541875a7 conn=1010 op=0 RESULT tag=97 err=49 text= 541875a7 conn=1010 op=1 UNBIND 541875a7 conn=1010 fd=21 closed I've been searching the Internet how to solve this issue without any luck. can someone point me to the right direction? Here is my conf for replication and chain in both master and slave: #----- # Master #----- dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: syncprov dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov #----- # Slave #----- dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: syncprov olcModuleLoad: back_ldap dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ldapmaster.com binddn="cn=syncReplUser,ou=Security,dc=example,dc=com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshAndPersist scope=sub retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on - add: olcUpdateRef olcUpdateRef: ldap://ldapmaster.com dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: chain olcChainReturnError: TRUE dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: ldap olcDbURI: ldap://ldapmaster.com olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=simple binddn="cn=syncReplUser,ou=Security,dc=example,dc=com" credentials=secret mode=self flags=prescriptive,proxy-authz-non-critical Thanks in advanced
