[Date Prev][Date Next] [Chronological] [Thread] [Top]


We are setting up a new service that is going to actually hold passwords in the OpenLDAP database instead of using Kerberos (via sasl and saslauthd). To that end, I'm investigating ppolicy.

However, what I haven't found in the man page (slapo-ppolicy), or the Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy on the master and the replicas or just the master.

My assumption is that I need to set up ppolicy on the replicas as well as the master -- otherwise those pwd* operational attributes are not going to be legal on the replica and I'll get in trouble. I haven't set up a test environment with a replica yet -- so, I'm asking here.

I also see in the FAQ that ppolicy only works on OpenLDAP versions greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing that ppolicy in OpenLDAP v2.3.x is not really completely functional? Am I reading too much into the entry in the FAQ?

Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)