8:50 a.m.
We are setting up a new service that is going to actually hold passwords
in the OpenLDAP database instead of using Kerberos (via sasl and
saslauthd). To that end, I'm investigating ppolicy.
However, what I haven't found in the man page (slapo-ppolicy), or the
Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
on the master and the replicas or just the master.
My assumption is that I need to set up ppolicy on the replicas as well
as the master -- otherwise those pwd* operational attributes are not
going to be legal on the replica and I'll get in trouble. I haven't set
up a test environment with a replica yet -- so, I'm asking here.
I also see in the FAQ that ppolicy only works on OpenLDAP versions
greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing
that ppolicy in OpenLDAP v2.3.x is not really completely functional? Am
I reading too much into the entry in the FAQ?
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
12:55 a.m.
On Wednesday, 21 April 2010 16:50:31 Frank Swasey wrote:
We are setting up a new service that is going to actually hold
passwords
in the OpenLDAP database instead of using Kerberos (via sasl and
saslauthd). To that end, I'm investigating ppolicy.
However, what I haven't found in the man page (slapo-ppolicy), or the
Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
on the master and the replicas or just the master.
Both. Ignoring the "upstream" replication of state attributes, to use ppolicy
effectively at all, any server which receives simple binds must have ppolicy
active.
My assumption is that I need to set up ppolicy on the replicas as
well
as the master -- otherwise those pwd* operational attributes are not
going to be legal on the replica and I'll get in trouble.
I think have ppolicy schema loaded would be sufficient to allow the attributes,
but do you want DNs that have been locked out to be able to authenticate on
your replicas? If not, you need ppolicy active on them.
I haven't set
up a test environment with a replica yet -- so, I'm asking here.
I also see in the FAQ that ppolicy only works on OpenLDAP versions
greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing
that ppolicy in OpenLDAP v2.3.x is not really completely functional? Am
I reading too much into the entry in the FAQ?
ppolicy does work on 2.3.x. However, the recent ppolicy_forward_updates option
on replicas (since 2.4.17 I think) may make things quite a bit easier.
Regards,
Buchan
7:57 a.m.
Hi,
Am Mittwoch 21 April 2010 17:50:31 schrieb Frank Swasey:
We are setting up a new service that is going to actually hold
passwords in the OpenLDAP database instead of using Kerberos (via
sasl and saslauthd). To that end, I'm investigating ppolicy.
However, what I haven't found in the man page (slapo-ppolicy), or the
Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
on the master and the replicas or just the master.
My assumption is that I need to set up ppolicy on the replicas as well
as the master -- otherwise those pwd* operational attributes are not
going to be legal on the replica and I'll get in trouble. I haven't
set up a test environment with a replica yet -- so, I'm asking here.
Yes you
have to set it up on every server.
I also see in the FAQ that ppolicy only works on OpenLDAP versions
greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing
that ppolicy in OpenLDAP v2.3.x is not really completely functional?
Hm, to my
knowledge ppolicy was working fine with 2.3.x. But if you are
setting up a new service it would be wise to go with the latest stable
release IMO.
Am I reading too much into the entry in the FAQ?
Hm, I think
that entry it's plain wrong. Unless somebody else vetos I am
going to remove that entry.
--
Ralf
4795
days inactive
4796
days old
openldap-software@openldap.org
2 comments
3 participants
participants (3)
-
Buchan Milne -
Frank Swasey -
Ralf Haferkamp