Hi,
Am Mittwoch 21 April 2010 17:50:31 schrieb Frank Swasey:
We are setting up a new service that is going to actually hold passwords in the OpenLDAP database instead of using Kerberos (via sasl and saslauthd). To that end, I'm investigating ppolicy.
However, what I haven't found in the man page (slapo-ppolicy), or the Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy on the master and the replicas or just the master.
My assumption is that I need to set up ppolicy on the replicas as well as the master -- otherwise those pwd* operational attributes are not going to be legal on the replica and I'll get in trouble. I haven't set up a test environment with a replica yet -- so, I'm asking here.
Yes you have to set it up on every server.
I also see in the FAQ that ppolicy only works on OpenLDAP versions greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing that ppolicy in OpenLDAP v2.3.x is not really completely functional?
Hm, to my knowledge ppolicy was working fine with 2.3.x. But if you are setting up a new service it would be wise to go with the latest stable release IMO.
Am I reading too much into the entry in the FAQ?
Hm, I think that entry it's plain wrong. Unless somebody else vetos I am going to remove that entry.