I'm not opening an official bug for this because it's already in RedHat support's hands and I'm waiting for them to reproduce it.* But I want to see if anyone else has encountered this too, I've spent a great deal of time diagnosting this and I want to make sure I'm not barking up the wrong tree while I wait (the more confident I am that it's a real problem, the more confident I am thinking about and proposing a fix).
It seems that using the "exop" directive in ldap.conf causes password changes to be done using the extended operation (referrals don't seem to work properly in some cases if you don't use exop).
However, it seems that in the directory server code, when you use the password change exop, it's considered "internal" (because it's a plugin), and thus a referral is never sent.* So if you turn exop on and have a replicated setup where you are pointing to a slave, the correct referral is never sent.
Has anyone else encountered this?* I can provide details and the results of my testing that overwhelmingly points to this being a bug in the directory server.
Thoughts?* Am I completely out there and making an ass of myself with support?*
Fedora-directory-users mailing list