I have a master-slave configuration, sync'ed with syncrepl. Most of my LDAP
clients connect directly to the slave servers. Some of my client can handle
referrals, but others cannot. For this reason, I use the 'chain' overlay.
The configuration works fine when I have 'pam_password clear' in my clients'
ldap.conf. But with 'pam_password md5', the clients are not sending the
control messaging for ppolicy. This seems to be a pam_ldap issue, but I cannot
seem to track it down and correct it.
It has been suggested that I use the 'pam_password exop' option on the clients
as a work-around for the pam_ldap issue. Doing this, I get hashed passwords,
as well as correct ppolicy control messaging, and everything works fine doing
this in my other (lab) scenario where I am not required to use chaining. BUT,
in my chaining config, when the user makes a password change, instead of the
user's password being changed, the chain's bind password is changed. NOTE: I do
not employ SASL.
Is this configuration supported? Anyone know why the chain's bind password
would be getting changed, instead of the user's?
Thanks,
Joe
_________________________________________________________________
Windows Live Hotmail gives you a free,exclusive gift.
http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?ocid=PID23879::T:WLMTAGL:ON:WL:en-ww:WM_IMHM_7:092009
