From: Michael Ströder Sent: Monday, April 28, 2014 11:50 PM
- If HA is important you surely have more than one replica and a decent
fail-over mechanism.
Absolutely.
- Loading slapo-ppolicy and the schema file in one restart is trivial.
Agreed.
Sorry. I don't see the problem.
The problem, in an environment where all of the servers are masters (which is somewhat required for a sane account lockout implementation, unless you're using the chaining mechanism to forward the failed authentication attributes), as soon as *one* of those servers has been updated to load the ppolicy module, it starts trying to replicate pwdFailureTime whenever an authentication fails. All of the other servers, which have not yet been updated to load the password policy module, fail replication due to an unknown attribute.
So, the problem is that unless you want your infrastructure to start failing to replicate, you have to update all of them at the same time, such that there is never a scenario where some systems have the password policy module loaded and others don't. And the only way to do that is to for at least some amount of time have all of them shutdown.
I guess alternatively you could start updating them one at a time without shutting them all down, and the ones you haven't gotten to yet would simply fail replications until you got to them.
But it would be a lot simpler if you could load the password policy module and have it not actually try to replicate anything until it's actually configured with a policy.