i tested ppolicy_forward_updates just before i got the 1st reply from marco, and it seemed to solve my problem however? now i'm already out of office and enjoying the weekend, but i will test on monday once again and get back with the results.
/chris On Jul 2, 2010, at 18:00 , Chris Jacobs wrote: > "ppolicy_forward_updates" won't affect the primary issue of: > * wrong password --> got ldapsearch results: > "...(type in wrong password for binding) ldapsearch get me search results..." > > Also, it seems he already has that setup: > "it just adds a pwdFailureTimeattribute on the provider and consumer" > > I have nothing to add (having chased this issue myself unsuccessfully) except > to clarify what the original poster wrote. > > This is the third time we've heard of the issue. > > Christian: > * What OS/ver are you using? > * What version of PAM is installed? > * What does your slapd.conf look like on your consumer (don't make the noob > mistake I did of posting real domain, rootdn and rootpw info)? > > - chris > > Chris Jacobs, Systems Administrator > Apollo Group | Apollo Marketing | Aptimus > 2001 6th Ave Ste 3200 | Seattle, WA 98121 > phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 > email: [email protected] > > From: [email protected] > <[email protected]> > To: Christian Bösch <[email protected]> > Cc: [email protected] <[email protected]> > Sent: Fri Jul 02 07:18:51 2010 > Subject: Re: ldap bind and password policy > > Hi, you have to add in your configuration of ppolicy overlay the directive > about the forwarding of operational attirbutes related to ppolicy to the > master server. So you have this attributes syncronized in all your servers. > > ppolicy_forward_updates available since version 2.4.18. > > Regards > Marco > > On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch <[email protected]> wrote: > hi, > > i just added password policy overlay to our openldap servers (2.4.21) > it works fine in general. i can change password as user and it gets well > replicated > between provider and consumer. > > but since i added password policy i have a strange behaviour: > _i do a ldapsearch on the provider and type in a wrong password for the > binding user, > then i get: ldap_bind: Invalid credentials (49) - as expected > _if i do the same on the consumer (type in wrong password for binding) > ldapsearch > get me search results without to complain about wrong password. it just adds > a pwdFailureTime > attribute on the provider and consumer. but i also expect to get a ldap_bind: > Invalid credentials (49) error? > > thx for any ideas! > > /chris > > > > > > -- > _________________________________________ > Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. > Jim Morrison > > This message is private and confidential. If you have received it in error, > please notify the sender and remove it from your system. >
