[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chaining ppolicy state attributes

Tony Earnshaw wrote:
Ben Spencer skrev, on 27-12-2007 21:53:
it would seem as if it might be impossible/tricky to chain state related
ppolicy attribute (ex: pwdAccountLockedTime) updates of a consumer to the
master and then back down to the other consumers in OpenLDAP 2.3
Has anyone successfully done this with OpenLDAP 2.3 (2.3.39)?

In as much as Pierangelo says that it was, as of Jan. 18th 2007, not possible to chain these attributes, I have to take notice of that.
pwdAccountLockedTime specific is an attribute that "disappears" as soon as that time is over, so I can't check that, but mention was made of pwdChangedTime and pwdHistory.
> [..]
> I see clearly (with GQ, a GUI) that pwdChangedTime and
> pwdHistory have replicated back to the slave

But note that pwdChangedTime and pwdHistory are set by the DSA on the same machine like where the password is (re)set - the master. So if you chain the password change to the master you don't have to worry about.

But propagating pwdAccountLockedTime which might be triggered by bad bind attempts to a slave is a different thing. I vaguely remembering Kurt arguing against it. But don't exactly remember why (and when).

Ciao, Michael.