RE: pwdPolicySubentry & replication user

[Michael Starling]

Just to let the list know this was my own doing.

I had an ACL which denied write access to the pwdPolicySubentry because of the 
preceeding self auth statement.

access to 
attrs=sambaKickoffTime,shadowExpire,shadowMax,shadowWarning,shadowFlag,sambaAcctFlags,sambaPasswordHistory,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet,mail,pwdAccountLockedTime,pwdPolicySubentry,pwdChangedTime,pwdReset
        by self auth
        by 
group.base="cn=infrastructure,ou=example,ou=groups,dc=umlott,dc=lott" write
        by dn.base="cn=ldapmgr,ou=Service,dc=umlott,dc=lott" write
        by dn.base="cn=replicator,ou=Service,dc=umlott,dc=lott" write
        by * none break

From: mlstarlin...@hotmail.com
To: brook...@hbcs.org
Subject: RE: pwdPolicySubentry & replication user
Date: Tue, 8 May 2012 17:05:03 -0400
CC: openldap-technical@openldap.org





I also have no issues if I run syncrepl with a provider and consumer. Only 
mirror mode. Perhaps I'll try downgrading openLDAP.


Thanks.

Mike

Date: Tue, 8 May 2012 16:54:25 -0400
From: brook...@hbcs.org
To: mlstarlin...@hotmail.com
CC: openldap-technical@openldap.org
Subject: RE: pwdPolicySubentry & replication user

I run that version without issues, but my infrastructure is still using good 
old reliable low-bandwidth slurpd, which is no longer supported.

 

I don’t think syncrepl is sufficiently reliable yet, although others disagree.

 

--Charlie

 

From: Michael Starling [mailto:mlstarlin...@hotmail.com] 

Sent: 2012 May 08 4:20 PM

To: qua...@zimbra.com

Cc: openldap

Subject: RE: pwdPolicySubentry & replication user

 

Re: Take the issue to Redhat

Easier said than done.



The policy is what it is but I didn't think it would do any harm to see if 
anyone has run into this issue.





> Date: Tue, 8 May 2012 12:22:58 -0700

> From: qua...@zimbra.com

> To: mlstarlin...@hotmail.com

> CC: openldap-technical@openldap.org

> Subject: RE: pwdPolicySubentry & replication user

> 

> --On Tuesday, May 08, 2012 3:07 PM -0400 Michael Starling 

> <mlstarlin...@hotmail.com> wrote:

> 

> >

> > Unfortunately I have no choice as this is the latest available in the

> > RHEL tree and my company won't allow us to deviate and compile.

> 

> Then you will need to take issues to RedHat since your company has an 

> utterly broken policy.

> 

> --Quanah

> 

> --

> 

> Quanah Gibson-Mount

> Sr. Member of Technical Staff

> Zimbra, Inc

> A Division of VMware, Inc.

> --------------------

> Zimbra :: the leader in open source messaging and collaboration

       ------------------  CONFIDENTIALITY NOTICE  ---------------


  This message, including any attachments, is for the sole use of the

intended recipient(s) and may contain privileged confidential information

protected by law. Any unauthorized review, use, disclosure or distribution

of this message is prohibited. If you are not the intended recipient, please

contact the sender by reply e-mail and destroy all copies of this message.


       ------------------  CONFIDENTIALITY NOTICE  ---------------