On Apr 22, 2010, at 4:54 PM, [email protected] wrote:
I've noticed the following in the logs though which confuses me
even
more:
PROXIED attributeDescription "PWDHISTORY" inserted.
PROXIED attributeDescription "PWDPOLICYSUBENTRY" inserted.
PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
This is a clear indication the schema is ***not*** loaded. That's
why I
asked. The ppolicy schema is loaded by default when slapo-ppolicy
is
built statically in slapd. Otherwise you need to either load
ppolicy.schema, or load the ppolicy.la module. In any case, the
schema
must be present also on the proxy, even though the proxy does not
need
to
have the overlay instantiated. It would be waaaaaay easier if you
posted
your remote host & proxy configuration, and detailed how OpenLDAP
was
built (namely, static or dynamic modules).
p.
I failed to mention the above messages where after I removed ppolicy.
I'm using third party rpms from Buchan, it is built dynamic modules:
#####################################################3
Name : openldap2.4-servers Relocations: (not
relocatable)
Version : 2.4.18 Vendor:
TelkomInternet
Release : 1.rhel5 Build Date: Fri 18 Sep
2009
05:43:56 AM EDT
Install Date: Mon 21 Sep 2009 05:47:01 PM EDT Build Host:
build.telkomsa.net
Group : System/Servers Source RPM:
openldap2.4-2.4.18-1.rhel5.src.rpm
Size : 4774420 License: Artistic
Signature : DSA/SHA1, Fri 18 Sep 2009 05:52:27 AM EDT, Key ID
ac92ba5060d204a7
Packager : Buchan Milne <[email protected]>
URL : http://www.openldap.org
Summary : OpenLDAP servers and related files
Description :
OpenLDAP Servers
This package contains the OpenLDAP server, slapd (LDAP server),
additional
backends, configuration files, schema definitions required for
operation, and
database maintenance tools
This server package was compiled with support for the berkeley
database library.
###########################################################
Below are my configs (database config was added so I could convert
over
to cn=config which I can assure has not changed since I converted
it):
PROXY:
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/java.schema
include /usr/share/openldap2.4/schema/krb5-kdc.schema
include /usr/share/openldap2.4/schema/kerberosobject.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/autofs.schema
include /usr/share/openldap2.4/schema/samba.schema
include /usr/share/openldap2.4/schema/kolab.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/calendar.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/dnszone.schema
include /usr/share/openldap2.4/schema/dhcp.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
I see. What I note is that some of the schema elements are only
defined
by the overlay itself, they are not specified in the schema file.
This
makes sense, because they are operational, and slapd does not allow to
specify operational attributes in the configuration. For this
purpose,
you need to
moduleload ppolicy.la
in your proxy configuration, *without* configuring the ppolicy
overlay on
the proxy database. This should make all attributes related to
ppolicy
known to the proxy. Does this solve all your issue, or is there
anything
left? I mean, apart from the fix to ITS#6530, that allows to proxy
control responses on successful binds.
p.
Yes! Your solution of loading the module but not configuring it on the
proxy solved the false alarms on the proxy and did allow searches for
the attributes to be recognized.
My only problem now as you pointed out is in the ITS where password
policy controls are not being sent back to the proxy.
Thanks for you help :)
