Hi,
I did a test, but unfortunately it didn't work for me.
This is my LAB:
- 389DS Servers :
- OS CentOS7 all updates
- 389DS version 1.3.8.4-22
- domain : dc=example,dc=com
- users on : uid=%u,ou=people,dc=example,dc=com
- One master server (idm01.example.com) and one slave server (idm02.example.com).
- Replication configured for userRoot database (dc=example,dc=com)
- Replication uses this user cn=replication manager,cn=config
- Password Policy is configured.
- Mail server Zimbra 8.8.11
- OS CentOS7 all updates
- Zimbra FOSS 8.8.11.
- External authentication configured using LDAP server
- Installation of ADPassword connector to allow change password from Zimbra WebUI
- External authentication was configured first on idm01.example.com to test that change pass works correctly.
- External authentication was modified to use idm02.example.com to test chain modification.
Result :
- Could not change user password using chain modification from idm02.example.com
Steps of configuration of chain modification :
- On master 389DS server
- Create a new ACI on dc=example,dc=com : (targetattr = "*")(version 3.0; acl "Proxied authorization for database links";
allow (proxy) (userdn = "ldap:///cn=Replication Manager,cn=config");) - Create cn=replication manager,cn=config on the master after getting this error from the slave's log :
- [17/Feb/2019:14:31:30.151680780 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)
[17/Feb/2019:14:31:30.153315712 +0000] - ERR - chaining database - cb_get_connection - Can't bind to server <idm01.example.com> port <636>. (LDAP error 32 - No such object; Netscape Portable Runtime error 0 - no error)
[17/Feb/2019:14:31:30.154527249 +0000] - ERR - chaining database - chaining_back_modify - cb_get_connection failed (-11) Connect error - On slave 389DS server
- Create the chain entry with ldapadd -x -W -D "cn=Directory Manager" -f chain.ldiff
- dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: dc=example,dc=com
nsfarmserverurl: ldaps://idm01.example.com:636
nsmultiplexorbinddn: cn=replication manager,cn=config
nsmultiplexorcredentials: reppassword
nsCheckLocalACI: on - Modify the existing : dn: cn="dc=example,dc=com",cn=mapping tree,cn=config or to be exact dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
- The original Entry was :
- dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=example,dc=com
cn: "dc=example,dc=com"
nsslapd-state: referral on update
nsslapd-backend: userRoot
nsslapd-referral: ldap://idm01.exemple.com:389/dc%3Dexample%2Cdc%3Dcom - The modified entry is :
- dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=example,dc=com
cn: "dc=example,dc=com"
nsslapd-backend: userRoot
nsslapd-referral: ldap://idm01.exemple.com:389/dc%3Dexample%2Cdc%3Dcom
nsslapd-state: backend
nsslapd-distribution-plugin: /usr/lib64/dirsrv/plugins/libreplication-plugin.so
nsslapd-distribution-funct: repl_chain_on_update
Errors :
- From 389DS slave server :
- Erorr Log
- [17/Feb/2019:14:44:24.514362428 +0000] - ERR - chaining database - chaining_back_modify - invalid password syntax - passwords with storage scheme are not allowed
- From Zimbra mail server
- mailbox log
- 2019-02-17 14:31:30,243 WARN [qtp1286783232-42786:http://localhost:8080/service/soap/ChangePasswordRequest] [ua=zclient/8.8.11_GA_3772;soapId=2e1e97b2;] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: permission denied: javax.naming.NamingException: [LDAP: error code 1 - database configuration error - please contact the system administrator]; remaining name 'uid=j.shepard,ou=People,dc=example,dc=com'
ExceptionId:qtp1286783232-42786:http://localhost:8080/service/soap/ChangePasswordRequest:1550413890243:874fcd9af69d9eb8
Code:service.PERM_DENIED
Did I respect the procedure?
i didn't find anything about chain modification on RedHat documentation, did I miss anything?
Regards.
Le lun. 18 févr. 2019 à 00:58, William Brown <wbrown@xxxxxxx> a écrit :
I don’t see any reason why it wouldn’t still work today? It would be good if you were able to test a development deployment and let us know the results and processes taken?
> On 17 Feb 2019, at 21:48, wodel youchi <wodel.youchi@xxxxxxxxx> wrote:
>
> Hi,
>
> We have a master 389DS Server, and several Slaves.
>
> The slaves are in the front, and the clients can use them for search and authentication.
>
> We have also a mailing solution, and we want to allow users to modify their passwords.
>
> I've read this article : https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html
>
> I don't know it it's still supported.
>
> The idea is to chain password modification via the slave to the master.
>
> Regards.
>
> Regards.
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
