Re: Design for large openldap deployments

[Christian Kratzer <ck-lists@cksoft.de>]

Hi Michael,

On Fri, 13 Dec 2013, Michael StrÃder wrote:
> On Fri, 13 Dec 2013 18:40:02 +0100 (CET) Christian Kratzer <ck-lists@cksoft.de>
> wrote
> > - Allow writes to those edge sites for the purpososes of slapo_ppolicy,
> >    slapo_lastbind and password changes.
>
> Note that with OpenLDAP operational attributes set by slapo-ppolicy and
> slapo-lastbind are not replicated anyway (with some exceptions like
> pwdChangedTime).

For slapo-ppoolicy I do see pwdFailureTime, pwdAccountLockedTime,
pwdChangedTime being replicated which is enough for my use case.

For slapo-lastbind pwdAuthTimestamp is not replicated by default.
I have local patches from (ITS#7721) to also replicate authTimestamp.

I am planning on setting olcLastBindPrecision to a large value of 8 hours
or more which is also more than enough for the customers requirement of
finding users who have not logged in for 6 months.

I am thinking about having MMR write access upto the edges where I would
usually have read only slaves in order to have above attributes propagete.

Greetings
Christian

--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer