LDAP password change on racks doesn't work due to LDAP replication issues

[chaos@bbn.com]

When i try to change the password for my new cgolubit (BBN site admin) account, i get:

(cgolubit) bbn-hn,[~],17:37(0)$ passwd
Changing password for user cgolubit.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Server is unwilling to perform
shadow context; no update referral
passwd: Authentication token manipulation error

Fix LDAP replication config so that non-RENCI users can change their LDAP passwords.

[chaos@bbn.com]

I reported this to Jonathan via e-mail, and he said:

Okay, I believe the problem is that the slave is not performing update
referrals.  The slaves have an openldap 2.4.x "syncrepl" style
replication agreement with ldap.exogeni.net.  So they won't perform   
updates locally, and they aren't configured to do referrals (my bad).           
It worked before, because we had the headnodes pointed ONLY to                  
ldap.exogeni.net, rather than pointing to the local replica first.   
I'll work on updating the config as soon as I read some more of the manual.

So i think he is working on this.

[jonmills@renci.org]

I have implemented the full slapo-chain overlay using a new cn=proxyuser,dc=exogeni,dc=net user and authzTo proxied binds. I can now change my password against rci-hn.exogeni.net, with the following debug output:

conn=1001 fd=19 ACCEPT from IP=152.54.14.3:54181 (IP=152.54.1.67:389) conn=1001 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1001 op=0 STARTTLS conn=1001 op=0 RESULT oid= err=0 text= conn=1001 fd=19 TLS established tls_ssf=256 ssf=256 conn=1001 op=1 BIND dn="cn=proxyuser,dc=exogeni,dc=net" method=128 conn=1001 op=1 BIND dn="cn=proxyuser,dc=exogeni,dc=net" mech=SIMPLE ssf=0 conn=1001 op=1 RESULT tag=97 err=0 text= conn=1001 op=2 PROXYAUTHZ dn="uid=jonmills,ou=people,dc=exogeni,dc=net" conn=1001 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1001 op=2 PASSMOD new slap_queue_csn: queing 0x7fb336c8b1d0 20120525190146.807111Z#000000#000#000000 slap_graduate_commit_csn: removing 0x7fb3281b8cf0 20120525190146.807111Z#000000#000#000000 conn=1001 op=2 RESULT oid= err=0 text= conn=1001 op=3 UNBIND conn=1001 fd=19 closed

Additionally, I have added all slapd configuration into Puppet -- which is really quite convenient now.

[chaos@bbn.com]

Jon: we prefer that GPO verify fixes and close tickets. We'll check this out right now.

[jbs@bbn.com]

I just changed my password, and it worked fine.

[chaos@bbn.com]

Indeed, first i got:

(cgolubit) bbn-hn,[~],19:26(0)$ passwd
Changing password for user cgolubit.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Constraint violation
passwd: Authentication token manipulation error

because my shiny new pseudorandom password happened not to contain any digits. :>P

On the second try, this worked:

(cgolubit) bbn-hn,[~],19:26(1)$ passwd
Changing password for user cgolubit.
Enter login(LDAP) password: 
New password: 
Re-enter new password: 
LDAP password information changed for cgolubit
passwd: all authentication tokens updated successfully.

• I can login to bbn-hn as cgolubit with the new password.
• I can login to ​https://bbn-hn.exogeni.net/rack_bbn/ as cgolubit with the new password.

Thanks!