We are setting up a new service that is going to actually hold passwords
in the OpenLDAP database instead of using Kerberos (via sasl and
saslauthd). To that end, I'm investigating ppolicy.
However, what I haven't found in the man page (slapo-ppolicy), or the
Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
on the master and the replicas or just the master.
My assumption is that I need to set up ppolicy on the replicas as well
as the master -- otherwise those pwd* operational attributes are not
going to be legal on the replica and I'll get in trouble. I haven't set
up a test environment with a replica yet -- so, I'm asking here.
I also see in the FAQ that ppolicy only works on OpenLDAP versions
greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing
that ppolicy in OpenLDAP v2.3.x is not really completely functional? Am
I reading too much into the entry in the FAQ?
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)