[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy

On Wednesday, 21 April 2010 16:50:31 Frank Swasey wrote:
> We are setting up a new service that is going to actually hold passwords
> in the OpenLDAP database instead of using Kerberos (via sasl and
> saslauthd).  To that end, I'm investigating ppolicy.
> However, what I haven't found in the man page (slapo-ppolicy), or the
> Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
> on the master and the replicas or just the master.

Both. Ignoring the "upstream" replication of state attributes, to use ppolicy 
effectively at all, any server which receives simple binds must have ppolicy 

> My assumption is that I need to set up ppolicy on the replicas as well
> as the master -- otherwise those pwd* operational attributes are not
> going to be legal on the replica and I'll get in trouble.

I think have ppolicy schema loaded would be sufficient to allow the attributes, 
but do you want DNs that have been locked out to be able to authenticate on 
your replicas? If not, you need ppolicy active on them.

> I haven't set
> up a test environment with a replica yet -- so, I'm asking here.
> I also see in the FAQ that ppolicy only works on OpenLDAP versions
> greater than 2.3 (item 2 of the ppolicy checklist).  So, I'm sensing
> that ppolicy in OpenLDAP v2.3.x is not really completely functional?  Am
> I reading too much into the entry in the FAQ?

ppolicy does work on 2.3.x. However, the recent ppolicy_forward_updates option 
on replicas (since 2.4.17 I think) may make things quite a bit easier.