[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy


Am Mittwoch 21 April 2010 17:50:31 schrieb Frank Swasey:
> We are setting up a new service that is going to actually hold
> passwords in the OpenLDAP database instead of using Kerberos (via
> sasl and saslauthd).  To that end, I'm investigating ppolicy.
> However, what I haven't found in the man page (slapo-ppolicy), or the
> Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
> on the master and the replicas or just the master.
> My assumption is that I need to set up ppolicy on the replicas as well
> as the master -- otherwise those pwd* operational attributes are not
> going to be legal on the replica and I'll get in trouble.  I haven't
> set up a test environment with a replica yet -- so, I'm asking here.
Yes you have to set it up on every server.
> I also see in the FAQ that ppolicy only works on OpenLDAP versions
> greater than 2.3 (item 2 of the ppolicy checklist).  So, I'm sensing
> that ppolicy in OpenLDAP v2.3.x is not really completely functional?
Hm, to my knowledge ppolicy was working fine with 2.3.x. But if you are 
setting up a new service it would be wise to go with the latest stable 
release IMO.

> Am I reading too much into the entry in the FAQ?
Hm, I think that entry it's plain wrong. Unless somebody else vetos I am 
going to remove that entry.