[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy and syncrepl aclaration

To: openldap-technical@openldap.org
Subject: Re: ppolicy and syncrepl aclaration
From: Jordi Espasa Clofent <jespasac@minibofh.org>
Date: Wed, 17 Jun 2009 17:23:17 +0200
In-reply-to: <200906171435.34229.bgmilne@staff.telkomsa.net>
References: <4A375B8C.6090302@minibofh.org> <200906171435.34229.bgmilne@staff.telkomsa.net>
User-agent: Thunderbird 2.0.0.19 (X11/20090107)

userPassword is *not* a "state-related attribute", please see 'man slapo-
ppolicy'.
Note, that what this does mean is that you may be locked out on one slave, butnot the others (and maybe not the provider), and simple reset-ing the passwordon the master may not be sufficient to unlock the account on the slaves, and thepwdAccountFailureTime attributes may not be cleared, meaning one more failedauthentication may lock the account on a slave (especially in a load-balancedenvironment).


Nice :(

I work in load-balanced environment of course, so this supposes apotential and serious problem. Always I have the brute-force option:make the changes in the provider and restart the consumers to force there-sync.


Once again ... :(

--
Thanks,
Jordi Espasa Clofent

References:
- ppolicy and syncrepl aclaration
  - From: Jordi Espasa Clofent <jespasac@minibofh.org>
- Re: ppolicy and syncrepl aclaration
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Check ppolicy
Next by Date: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Index(es):
- Chronological
- Thread