Ben Spencer skrev, on 27-12-2007 21:53:
AFAICS msg00050 has nothing to do with ppolicy, msg00149 does.
it would seem as if it might be impossible/tricky to chain state related ppolicy attribute (ex: pwdAccountLockedTime) updates of a consumer to the master and then back down to the other consumers in OpenLDAP 2.3
Has anyone successfully done this with OpenLDAP 2.3 (2.3.39)?
In as much as Pierangelo says that it was, as of Jan. 18th 2007, not possible to chain these attributes, I have to take notice of that.
However, my site's been running ppolicy in production since the beginning of Dec. with much tweaking and experimenting before that (different utilities and mechanisms have to be able to support ppolicy or a corresponding alternative).
pwdAccountLockedTime specific is an attribute that "disappears" as soon as that time is over, so I can't check that, but mention was made of pwdChangedTime and pwdHistory.
At my site one of the chaining (slave) machines is an OL 2.3.38 Samba PDC; I've just changed the password of a "test rabbit" user with smbpasswd and changed it back again. smbpasswd respects referrals, doesn't chain. I see clearly (with GQ, a GUI) that pwdChangedTime and pwdHistory have replicated back to the slave (and for that matter to 2 other slaves as well, that had nothing to do with the transaction). The same happens when using the pam passwd libraries from a slave to update the master. However, from the master's changelog I see that it wasn't the master's accesslog that was responsible for replicating these changes. I can only observe that these attributes are replicated, but in as much as Pierangelo says that it's the implementor that's responsible, let's leave it at that.
If your primary worry is that these attributes won't get replicated, then you can put your mind at rest. For obvious reasons the whole ppolicy thing would be pretty useless to my site if these attributes were not replicated.