2013/10/15 Jacques Foucry <[email protected]> > Hello list, > > I created a VM to test ppolicy migration and replication. > > On my master server some user (like mine) are "bind" to ppolicy: > > I have a OU policies > dn: cn=default,ou=policies,dc=**example,dc=com > cn: default > objectclass: top > objectclass: device > objectclass: pwdPolicy > objectclass: pwdPolicyChecker > pwdallowuserchange: TRUE > pwdattribute: userPassword > pwdcheckmodule: mmc-check-password.so > pwdcheckquality: 0 > pwdexpirewarning: 600 > pwdfailurecountinterval: 0 > pwdgraceauthnlimit: 5 > pwdinhistory: 5 > pwdlockout: TRUE > pwdlockoutduration: 0 > pwdmaxage: 7776000 > pwdmaxfailure: 5 > pwdminlength: 8 > pwdmustchange: TRUE > pwdsafemodify: FALSE > > > And my user: > > dn: cn=Jacques Foucry,ou=People,dc=example,**dc=com > c: France > cn: Jacques Foucry > gidnumber: 1000 > givenname: Jacques > homedirectory: /home/jfoucry > loginshell: /bin/zsh > mail: [email protected] > objectclass: inetOrgPerson > objectclass: mozillaAbPersonAlpha > objectclass: sambaSamAccount > objectclass: posixAccount > objectclass: top > objectclass: shadowAccount > objectclass: pwdPolicy > ou: RT_Users > postalcode: 75009 > pwdattribute: userPassword > sambaacctflags: [U] > shadowlastchange: 15987 > shadowmax: 120 > shadowmin: 7 > shadowwarning: 7 > sn: Foucry > uid: jfoucry > uidnumber: 1010 > userpassword: --password-- > > On the replica mv. I created a slapd.conf file (I cannot understand the > "new" syntax). > > include /etc/ldap/schema/core.schema > include /etc/ldap/schema/cosine.schema > include /etc/ldap/schema/nis.schema > include /etc/ldap/schema/**inetorgperson.schema > include /etc/ldap/schema/**mozillaAbPersonAlpha.schema > include /etc/ldap/schema/samba.schema > include /etc/ldap/schema/pureftpd.**schema > include /etc/ldap/schema/ppolicy.**schema > > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > > loglevel config sync > modulepath /usr/lib/ldap > moduleload back_hdb > > database hdb > suffix "dc=example,dc=com" > rootdn "cn=admin,dc=example,dc=com" > rootpw {SSHA}--password-- > > directory /var/lib/ldap > > referral ldaps://192.168.72.13 > syncrepl rid=020 > provider=ldaps://192.168.72.13 > type=refreshOnly > interval=00:08:00:00 > retry="60 10 300 +" > filter="(objectClass=*)" > scope=sub > attrs="*" > bindmethod=simple > schemachecking=off > searchbase="dc=exmaple,dc=com" > binddn="cn=syncuser,dc=**exmaple,dc=com" > credentials=--password-- > tls_reqcert=never > > > > When I start slapd on the slave vm, It sound correct but only few off my > user records are sync. For example mine is not. > > One the master: > > # ldapsearch -x -b"ou=people,dc=example,dc=**com" uid=jfoucry > # extended LDIF > # > # LDAPv3 > # base <ou=people,dc=example,dc=com> with scope subtree > # filter: uid=jfoucry > # requesting: ALL > # > > # Jacques Foucry, People, example.com > dn: cn=Jacques Foucry,ou=People,dc=example,**dc=com > c: France > cn: Jacques Foucry > mail: [email protected] > gidNumber: 1000 > givenName: Jacques > homeDirectory: /home/jfoucry > loginShell: /bin/zsh > ou: RT_Users > postalCode: 75009 > shadowMax: 120 > shadowMin: 7 > shadowWarning: 7 > sn: Foucry > uidNumber: 1010 > uid: jfoucry > objectClass: inetOrgPerson > objectClass: mozillaAbPersonAlpha > objectClass: sambaSamAccount > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: pwdPolicy > pwdAttribute: userPassword > shadowLastChange: 15987 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > On the slave: > > ldapsearch -x -b"ou=people,dc=exmaple,dc=**com" uid=jfoucry > # extended LDIF > # > # LDAPv3 > # base <ou=people,dc=example,dc=com> with scope subtree > # filter: uid=jfoucry > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > > I can't figure what's wrong. Why some records are sync and other are not? > Is it because of ppolicy? > > Thanks in advance for your help, >
Hi, some remarks: - do not use pwdPolicy objectClass in a user entry. pwdPolicy is designed to create configuration objects, like you do with cn=default,ou=policies,dc=example,dc=com - you seem to mix UNIX password policy (shadow* attributes) and LDAP password policy. This might not work as you expect - have configured a syncprov overlay on your master? Clément.
