[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: deploying password policy module



> From: Michael Ströder
> Sent: Monday, April 28, 2014 11:50 PM
>
> 1. If HA is important you surely have more than one replica and a decent
> fail-over mechanism.

Absolutely.

> 2. Loading slapo-ppolicy and the schema file in one restart is trivial.

Agreed.

> Sorry. I don't see the problem.

The problem, in an environment where all of the servers are masters (which
is somewhat required for a sane account lockout implementation, unless
you're using the chaining mechanism to forward the failed authentication
attributes), as soon as *one* of those servers has been updated to load the
ppolicy module, it starts trying to replicate pwdFailureTime whenever an
authentication fails. All of the other servers, which have not yet been
updated to load the password policy module, fail replication due to an
unknown attribute.

So, the problem is that unless you want your infrastructure to start failing
to replicate, you have to update all of them at the same time, such that
there is never a scenario where some systems have the password policy module
loaded and others don't. And the only way to do that is to for at least some
amount of time have all of them shutdown.

I guess alternatively you could start updating them one at a time without
shutting them all down, and the ones you haven't gotten to yet would simply
fail replications until you got to them.

But it would be a lot simpler if you could load the password policy module
and have it not actually try to replicate anything until it's actually
configured with a policy.