Good morning all After quite a bit of work, I got replication working (thank you all).
So I forged ahead and deployed the server in our RHEL 5.5 environment. But now I just realized that none of my ppolicy rules work. Also, the Redhat clients are configured to use MD5 hash. When I look at the accounts in webmin, it shows it being crypt????? I know openldap likes salted SHA, but I thought I'd do what Redhat wanted, which was MD5. Password history, aging etc... A search used to show me all of my ppolicy objects. ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default But now returns nothing. Users can reuse passwords, so no history or aging is working. No locking. I had to change ACL's on the provider and consumer to get the replication working. Would that cause the problem? Here is my policy LDIF file I added to the server: # policies, chin.com dn: ou=policies,dc=chin,dc=ca objectClass: organizationalUnit objectClass: top ou: policies # default, policies, chin.com dn: cn=default,ou=policies,dc=chin,dc=ca objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE pwdMaxAge: 10368000 pwdExpireWarning: 1209600 pwdMinAge: 86400 Provider: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/ppolicy.schema ### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # note, enabling debbuging info really slows the beast down #loglevel 128 loglevel 256 #loglevel conns filter logfile /var/log/slapd.log # Load dynamic backend modules using this path!!! modulepath /usr/lib/openldap moduleload ppolicy.la moduleload accesslog.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la ################################################################# schemacheck on lastmod on access to attrs=userPassword by self write by anonymous auth by * none ######################################## ### ACL for syncrepl. ######################################## #access to attrs=userPassword # by self write #by uid=replicator,ou=people,dc=chin,dc=ca read # by anonymous auth # by * none access to attrs=userPassword,shadowLastChange by dn="dc=admin,dc=chin,dc=ca" write by anonymous auth access to * by dn="dc=admin,dc=chin,dc=ca" write by * read #access to attrs=shadowLastChange # by self write # by * read access to * by * read #### WIDE OPEN - For testing only ##NOPE access to * by * write access to * by * read # ------------------------------------------------------------------- # # Access log database instance for replication # ------------------------------------------------------------------- # # Accesslog database definitions database bdb suffix cn=accesslog directory /var/lib/db/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- # database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin, dc=chin,dc=ca" # rootpw rootpw {SSHA}TCYoUVYYYXXXXXbQsitJ3V7zo+c887NC directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq # define the default policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca" ppolicy_use_lockout # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # Let the replica DN have limitless searches limits dn.exact="uid=replicator,ou=People,dc=chin,dc=ca" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited Consumer: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/ppolicy.schema ### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 logfile /var/log/slapd.log modulepath /usr/lib/openldap # ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- # database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin,dc=chin,dc=ca" directory /var/lib/ldap moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca" ppolicy_use_lockout # ------------------------------------------------------------------- # # Replica configuration instance # ------------------------------------------------------------------- # # syncrepl specific indices index entryUUID eq uniqueMember index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN eq # syncrepl directives syncrepl rid=0 provider=ldap://ldap bindmethod=simple binddn="uid=replicator,ou=people,dc=chin,dc=ca" #binddn="cn=admin,dc=chin,dc=ca" credentials=xxxxx searchbase="dc=chin,dc=ca" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=off type=refreshAndPersist retry="60 +" syncdata=accesslog # Refer updates to the master updateref ldap://ldap Any suggestions would be dandy and much appreciated. I'm new to LDAP, as you can tell. Thanks
