[Date Prev][Date Next]
Re: Chaining ppolicy state attributes
Ben Spencer skrev, on 27-12-2007 21:53:
AFAICS msg00050 has nothing to do with ppolicy, msg00149 does.
it would seem as if it might be impossible/tricky to chain state related
ppolicy attribute (ex: pwdAccountLockedTime) updates of a consumer to the
master and then back down to the other consumers in OpenLDAP 2.3
Has anyone successfully done this with OpenLDAP 2.3 (2.3.39)?
In as much as Pierangelo says that it was, as of Jan. 18th 2007, not
possible to chain these attributes, I have to take notice of that.
However, my site's been running ppolicy in production since the
beginning of Dec. with much tweaking and experimenting before that
(different utilities and mechanisms have to be able to support ppolicy
or a corresponding alternative).
pwdAccountLockedTime specific is an attribute that "disappears" as soon
as that time is over, so I can't check that, but mention was made of
pwdChangedTime and pwdHistory.
At my site one of the chaining (slave) machines is an OL 2.3.38 Samba
PDC; I've just changed the password of a "test rabbit" user with
smbpasswd and changed it back again. smbpasswd respects referrals,
doesn't chain. I see clearly (with GQ, a GUI) that pwdChangedTime and
pwdHistory have replicated back to the slave (and for that matter to 2
other slaves as well, that had nothing to do with the transaction). The
same happens when using the pam passwd libraries from a slave to update
the master. However, from the master's changelog I see that it wasn't
the master's accesslog that was responsible for replicating these
changes. I can only observe that these attributes are replicated, but in
as much as Pierangelo says that it's the implementor that's responsible,
let's leave it at that.
If your primary worry is that these attributes won't get replicated,
then you can put your mind at rest. For obvious reasons the whole
ppolicy thing would be pretty useless to my site if these attributes
were not replicated.
Email: tonni at hetnet dot nl