[CentOS] LDAP and expired passwords

Fri Oct 31 20:32:10 UTC 2008
Steve Thompson <smt at vgersoft.com>

CentOS 5.2 with OpenLDAP 2.3.27, nss_ldap_253.13, using TLS, i686 and 
x86_64.

If a user with an expired password (shadowLastChange + shadowMax < current 
day) logs in to a system where ldap.conf points first to a consumer-only 
LDAP server, the password change operation (exop) proceeds and fails with:

 	LDAP password information update failed: Referral

If I comment out "ssl start_tls", the referral to the master is followed 
and the password change operation succeeds. I've found references to 
problems with earlier releases of pam_ldap when referrals were not 
properly followed when using TLS, and these are supposed to be fixed; 
apparently not in my case. Can anyone hit me with the clue stick?

Steve
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,300 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------