Good morning, I'm trying to configure ppolicy_forward_updates to master from slaves on Symas OpenLDAP 2.6.9, so that both successful authentications (ppolicy attribute pwdLastSuccess) and failed authentications (ppolicy attribute pwdFailureTime) get forwarded and written on the master.
Following some documentation [1] [2] I have configured on the slave: * chain overlay in order to define how to connect to master (credentials, tls, etc) * updateref (after syncrepl section), in order to define where to send updates * ppolicy_forward_updates, in order to define that ppolicy operations must be forwarded. I have also configured lastbind overlay to define desired precision to save pwdLastSuccess, and this is working perfectly on the master server. Both attributes (pwdLastSuccess and pwdFailureTime) are respectively being updated flawlessly when binding to the master server. Syncrepl between master and slave is also working properly, so that they both get replicated to the slave. But when binding to the slave, the "ppolicy forward updates" functionality is not working and I can not find out why. I have looked at the usual suspects, as ACL permissions on master, connectivity, etc. But after some debugging I don't see the slave trying to connect to the master (using tcpdump on the slave I can not see any traffic), so I have discarded any problems on the master itself (ACL), and I am guessing that the problem is on the slave part. When trying to further debug the problem, I can see on the slave server: * On *successful* auths, when trying to write pwdLastSuccess: slapd[320250]: send_ldap_result: err=53 matched="" text="operation restricted" slapd[320250]: conn=1002 op=0 ppolicy_bind_response: ppolicy state change failed with rc=53 text=operation restricted slapd[320250]: conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000335 text= slapd[320250]: connection_get(23) * On *failed* auths, when trying to write pwdFailureTime: slapd[320250]: send_ldap_result: err=49 matched="" text="" slapd[320250]: => mdb_entry_get: ndn: "<<userdn_redacted>>" slapd[320250]: => mdb_entry_get: oc: "(null)", at: "(null)" slapd[320250]: => mdb_entry_get: found entry: "<<userdn_redacted>>" slapd[320250]: send_ldap_result: err=53 matched="" text="operation restricted" slapd[320250]: conn=1003 op=0 ppolicy_bind_response: ppolicy state change failed with rc=53 text=operation restricted slapd[320250]: conn=1003 op=0 RESULT tag=97 err=49 qtime=0.000013 etime=0.000601 text= slapd[320250]: connection_get(23) slapd[320250]: conn=1003 op=1 UNBIND slapd[320250]: conn=1003 fd=23 close And I am not able to get more detailed information to find out why this operation is restricted. "ppolicy_bind_response" messages makes me suppose that it is indeed trying to bind somewhere, but I am not seeing any connection trying to be made outside the slave server. Is there some way to check where it is trying to bind? I don't know where else to look in order to find out what 's wrong. Anyone have any tips? Thank you so much for your help. [1] https://kb.symas.com/en_US/configuration/configuring-ppolicy-for-openldap-25 [2] https://kb.symas.com/en_US/configuration/referrals-and-chaining) ------------------------------ *Oscar Remírez de Ganuza Satrústegui* Technology and IT Operations IT Services T: +34 948425600 x803130 [email protected] ------------------------------ [image: Universidad de Navarra] <http://www.unav.edu/> -- *Este mensaje puede contener información confidencial. Si usted no es el destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas y comuníquelo a la mayor brevedad al remitente. Los datos personales incluidos en los correos electrónicos que intercambie con el personal de la Universidad de Navarra podrán ser almacenados en la libreta de direcciones de su interlocutor y/o en los servidores de la Universidad durante el tiempo fijado en su política interna de conservación de información. La Universidad de Navarra gestiona dichos datos con fines meramente operativos, para permitir el contacto por email entre sus trabajadores/colaboradores y terceros. Puede consultar la Política de Privacidad de la Universidad de Navarra en la dirección: **https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal>**** ** ** *This email message may contain confidential information. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. The personal information included in email messages exchanged with employees of the University of Navarra may be stored in the database of your interlocutor and/or the servers of the University for the time-period stipulated by its internal information storage policy. The University stores such data for purely administrative purposes, to facilitate e-mail contact between its employees and third parties. The University of Navarra Privacy Policy may be accessed at https://www.unav.edu/aviso-legal <https://www.unav.edu/aviso-legal> ***** ** ** _Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario. Proteger el medio ambiente está en nuestras manos. Before printing this e-mail or attachments, be sure it is necessary. _It is in our hands to protect the environment.__
