[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Re: Q: accesslog and replicated changes

To: <openldap-technical@openldap.org>, "Quanah Gibson-Mount" <quanah@zimbra.com>
Subject: Antw: Re: Q: accesslog and replicated changes
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Fri, 15 Apr 2016 08:12:56 +0200
Content-disposition: inline
In-reply-to: <92BBFC2841F84321102D00F6@[192.168.1.19]>
References: <570F53E2020000A100020991@gwsmtp1.uni-regensburg.de> <92BBFC2841F84321102D00F6@[192.168.1.19]>

>>> Quanah Gibson-Mount <quanah@zimbra.com> schrieb am 15.04.2016 um 03:40 in
Nachricht <92BBFC2841F84321102D00F6@[192.168.1.19]>:
> --On Thursday, April 14, 2016 9:25 AM +0200 Ulrich Windl 
> <Ulrich.Windl@rz.uni-regensburg.de> wrote:
> 
>> Hello!
>>
>> I have configured accesslog to log all changes to an LDAP server, and
>> that seems to work for months. Recently I noticed that that there wee no
>> new entries for more than a week. Usually there are several entries per
>> day, because with password policy every bad login attempt is logged. As
>> we have three multi-master servers, I wonder whether changes made to
>> other servers and replicated to the local server will be logged by
>> accesslog also. Are the password policy updates (which are somewhat
>> special) also replicated to all servers?
> 
> Have you read over the slapo-ppolicy(5) man page?

You answered a question with a question; from what I read it should be replicated in a MMR environment:
--
       Note that the current IETF Password Policy proposal does not define how
       these operational attributes are expected to behave  in  a  replication
       environment. In general, authentication attempts on a slave server only
       affect the copy of the operational attributes on that  slave  and  will
       not  affect  any  attributes  for  a user's entry on the master server.
       Operational attribute changes resulting from authentication attempts on
       a  master  server  will usually replicate to the slaves (and also over-
       write any changes that originated on the slave).  These  behaviors  are
       not  guaranteed  and  are subject to change when a formal specification
       emerges.
--

>From my understanding changes to one master shopuld be replicated to other masters.

Open is the question whether there is any special treatment of ppolicy entries for accesslog.

Regards,
Ulrich

> 
> <http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion= 
> 0&manpath=OpenLDAP+2.4-Release&format=html>
> 
> The "OPERATIONAL ATTRIBUTES" section is interesting.  I can't tell how it's 
> supposed to operate in an MMR environment.

So maybe read the manual also ;-)

Ulrich

References:
- Q: accesslog and replicated changes
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Q: accesslog and replicated changes
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Q: accesslog and replicated changes
Next by Date: Re: Q: accesslog and replicated changes
Index(es):
- Chronological
- Thread