[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chaining ppolicy state attributes

To: Tony Earnshaw <tonni@hetnet.nl>
Subject: Re: Chaining ppolicy state attributes
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 28 Dec 2007 18:29:03 +0100
Cc: openldap-software@openldap.org
In-reply-to: <47745E6B.8090809@hetnet.nl>
References: <29FB0BFB91D3104A9415ABC90235449205BD3152@MBIXCHG2.moody.edu> <47745E6B.8090809@hetnet.nl>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071128 SeaMonkey/1.1.7

Tony Earnshaw wrote:

Ben Spencer skrev, on 27-12-2007 21:53:
it would seem as if it might be impossible/tricky to chain state related ppolicy attribute (ex: pwdAccountLockedTime) updates of a consumer to the master and then back down to the other consumers in OpenLDAP 2.3 Has anyone successfully done this with OpenLDAP 2.3 (2.3.39)?
In as much as Pierangelo says that it was, as of Jan. 18th 2007, not possible to chain these attributes, I have to take notice of that. [..] pwdAccountLockedTime specific is an attribute that "disappears" as soon as that time is over, so I can't check that, but mention was made of pwdChangedTime and pwdHistory.

> [..]
> I see clearly (with GQ, a GUI) that pwdChangedTime and
> pwdHistory have replicated back to the slave

But note that pwdChangedTime and pwdHistory are set by the DSA on the same machine like where the password is (re)set - the master. So if you chain the password change to the master you don't have to worry about.

But propagating pwdAccountLockedTime which might be triggered by bad bind attempts to a slave is a different thing. I vaguely remembering Kurt arguing against it. But don't exactly remember why (and when).

Ciao, Michael.

References:
- Chaining ppolicy state attributes
  - From: Ben Spencer <ben.spencer@moody.edu>
- Re: Chaining ppolicy state attributes
  - From: Tony Earnshaw <tonni@hetnet.nl>

Prev by Date: Re: OpenLDAP 2.4.7 Bug?
Next by Date: Segmentation fault
Index(es):
- Chronological
- Thread