[Date Prev][Date Next]
Re: Chaining ppolicy state attributes
Tony Earnshaw wrote:
Ben Spencer skrev, on 27-12-2007 21:53:
it would seem as if it might be impossible/tricky to chain state related
ppolicy attribute (ex: pwdAccountLockedTime) updates of a consumer to the
master and then back down to the other consumers in OpenLDAP 2.3
Has anyone successfully done this with OpenLDAP 2.3 (2.3.39)?
In as much as Pierangelo says that it was, as of Jan. 18th 2007, not
possible to chain these attributes, I have to take notice of that.
pwdAccountLockedTime specific is an attribute that "disappears" as soon
as that time is over, so I can't check that, but mention was made of
pwdChangedTime and pwdHistory.
> I see clearly (with GQ, a GUI) that pwdChangedTime and
> pwdHistory have replicated back to the slave
But note that pwdChangedTime and pwdHistory are set by the DSA on the
same machine like where the password is (re)set - the master. So if you
chain the password change to the master you don't have to worry about.
But propagating pwdAccountLockedTime which might be triggered by bad
bind attempts to a slave is a different thing. I vaguely remembering
Kurt arguing against it. But don't exactly remember why (and when).