Bliss, Aaron wrote: >I'm all set, in the fds on the consumer, I had to manually add the >supplier as a referral as part of the replication link (even though the >documentation says it will do this based upon replication link). Thanks >again very much for such a great product. > > This sounds like a bug. The supplier automatically sets the referral in the consumer. You can confirm this by attempting to do an ldapmodify against the consumer - you should get a referral back. If not, then this is definitely a bug. >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Tuesday, January 24, 2006 2:11 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: Question on password changes > >Sorry, I meant to say that I don't see the MOD entry on the supplier's >log file; I agree with you, it doesn't seem that the client is listening >to the referral. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 24, 2006 2:10 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: Question on password changes > >Bliss, Aaron wrote: > > > >>I see the MOD request in the consumer, but do not see the MOD request >>in the client; >> >> >> >Where would you see the MOD request in the client? It just seems as >though PAM is not following the referral and I'm not sure why. Perhaps >there is some other PAM configuration required? > > > >>here are the relevant entries from >> >>/etc/ldap.conf and >>host serverA serverB >>base dc=myorg,dc=org >>pam_lookup_policy yes >>pam_check_host_attr yes >>pam_password clear >>ssl start_tls >> >>/etc/openldap/ldap.conf >>BASE dc=myorg,dc=org >>HOST serverA serverB >>TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow >> >>Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4 >>boxes, further this is the error that I get from redhat 4 boxes >> >>LDAP password information update failed: Can't contact LDAP server >> >>passwd: Permission denied >> >>Thanks again for your help. >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> >> > > > >>Megginson >>Sent: Tuesday, January 24, 2006 1:21 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: Question on password changes >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>I am not using the password extended operation to change passwords >>> >>> >i.e. > > >>>in /etc/ldap.conf pam_password exop is commented out; as such, what's >>>the best way to being to debug this? >>> >>> >>> >>> >>> >>I'm not sure. If I understand you correctly, it seems that the >>consumer is correctly sending the referral back to the client in >>response to the MOD request to change the password. Can you examine >>the supplier access log to see if the client is following the referral? >> >> > > > >>You should see a MOD request in the supplier access log shortly after >>the MOD to the consumer that resulted in the err=10. If not, this >>means the client is not following the referral, which is either a bug >>or a mis-configuration of the client. >> >> >> >> >> >>>Also, what is the advantage of >>>using the extended operation to change passwords? Thanks again. >>> >>> >>> >>> >>> >>> >>The extended operation is meant to be used when you are not using a >>simple userPassword (e.g. some SASL mechs, Kerberos). >> >> >> >> >> >>>Aaron >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Richard >>> >>> >>> >>> >> >> >> >> >>>Megginson >>>Sent: Tuesday, January 24, 2006 11:13 AM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: Question on password changes >>> >>>Bliss, Aaron wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Thanks for getting back to me so quickly; I've seen the error >>>>messages >>>> >>>> >>>> >>>> >> >> >> >> >>>>that you referenced below; I can then assume then my only alternative >>>> >>>> > > > >>>>is to setup a multimaster environment? Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Which error messages have you seen? Are you saying that the client is >>> >>> > > > >>>using the password modify extended operation? If so, then yes, you >>>will have to use multi master. If not, then single master should be >>>fine, and you'll need to debug the client to figure out why it's not >>>following the referral to the supplier. >>> >>>BTW, I believe we have a bug - the consumer should send back a >>>referral >>> >>> >>> >>> >> >> >> >> >>>to the supplier when it gets the password modify extended operation. >>>We need to add support for sending back referrals when certain >>>extended >>> >>> >>> >>> >> >> >> >> >>>operations that modify data are received. >>> >>> >>> >>> >>> >>> >>> >>>>Aaron >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>>Richard >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>>Megginson >>>>Sent: Tuesday, January 24, 2006 10:35 AM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: Question on password changes >>>> >>>>Bliss, Aaron wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I have a quick question on password changes; my current setup is the >>>>>following: I have 2 directory servers, single master environment >>>>>(supplier and consumer); I understand that all changes to the >>>>>directory >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>have to be made by the supplier and are then replicated to the >>>>>consumer; when a client server binds to the consumer and a user >>>>>attempts to change their password, they receive an unknown error >>>>>response from the server, and changes are not made; simply >>>>>configuring >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>the client's ldap.conf file to bind first with the supplier resolved >>>>> >>>>> > > > >>>>>this issue, however I was wondering if it's possible to configure >>>>>the >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>consumer in such a way that he will refer the update to take place >>>>>on >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>the supplier instead of rejecting the change to the database? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Yes, that's what should be happening. When you send the modify >>>>password request to the consumer, it should send back a referral to >>>>the >>>> >>>> >>>> >>>> >>>> >>>> >>>supplier. >>> >>> >>> >>> >>> >>> >>>>You can see this in the access log - a MOD request followed by a >>>>response with err=10 (referral). If however the client is using the >>>>password modify extended operation, I don't think that is referred to >>>> >>>> > > > >>>>the supplier. In this case, you will see EXT as the operation type >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>the access log for the request. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I would have thought that the >>>>>consumer would simply refer changes automatically to the supplier, >>>>>but >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>that doesn't seem to be the case. Any thoughts? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Check the access logs, as above. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>I do know that I can >>>>>configure both servers to be masters, but I was hoping to avoid this >>>>> >>>>> > > > >>>>>(I've read thru some of the directory server documentation citing >>>>>errors and so forth in a multi-master environment) Thanks. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate >>>> >>>>However, I don't think we chain the password change extended >>>> >>>> >>>> >>>> >>operation. >> >> >> >> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Aaron >>>>> >>>>>www.preferredcare.org >>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. >>>>> >>>>> >D. > > >>>>> >>>>> >>>>> >>>>> >> >> >> >> >>>>>Power and Associates >>>>> >>>>>Confidentiality Notice: >>>>>The information contained in this electronic message is intended for >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>the exclusive use of the individual or entity named above and may >>>>contain privileged or confidential information. If the reader of >>>>this >>>> >>>> >>>> >>>> >> >> >> >> >>>>message is not the intended recipient or the employee or agent >>>>responsible to deliver it to the intended recipient, you are hereby >>>>notified that dissemination, distribution or copying of this >>>>information is prohibited. If you have received this communication >>>>in >>>> >>>> >>>> >>>> >> >> >> >> >>>>error, please notify the sender immediately by telephone and destroy >>>>the copies you received. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>www.preferredcare.org >>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>> >>>> > > > >>>>Power and Associates >>>> >>>>Confidentiality Notice: >>>>The information contained in this electronic message is intended for >>>> >>>> >>>> >>>> >>>> >>>> >>>the exclusive use of the individual or entity named above and may >>>contain privileged or confidential information. If the reader of this >>> >>> > > > >>>message is not the intended recipient or the employee or agent >>>responsible to deliver it to the intended recipient, you are hereby >>>notified that dissemination, distribution or copying of this >>>information is prohibited. If you have received this communication in >>> >>> > > > >>>error, please notify the sender immediately by telephone and destroy >>>the copies you received. >>> >>> >>> >>> >>> >>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this information >is prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the >exclusive use of the individual or entity named above and may contain >privileged or confidential information. If the reader of this message >is not the intended recipient or the employee or agent responsible to >deliver it to the intended recipient, you are hereby notified that >dissemination, distribution or copying of this information is >prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060124/fa386121/attachment.bin
