We are setting up a new service that is going to actually hold passwords in the OpenLDAP database instead of using Kerberos (via sasl and saslauthd). To that end, I'm investigating ppolicy.
However, what I haven't found in the man page (slapo-ppolicy), or the Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy on the master and the replicas or just the master.
My assumption is that I need to set up ppolicy on the replicas as well as the master -- otherwise those pwd* operational attributes are not going to be legal on the replica and I'll get in trouble. I haven't set up a test environment with a replica yet -- so, I'm asking here.
I also see in the FAQ that ppolicy only works on OpenLDAP versions greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing that ppolicy in OpenLDAP v2.3.x is not really completely functional? Am I reading too much into the entry in the FAQ?