Paul B. Henson wrote:
From: Michael Ströder Sent: Sunday, April 27, 2014 11:27 PM
Sometimes it's handy to see when people had failed logins even if you
don't
apply lockout policy.
It would be even more handy to be able to roll out password policy support without having to shut down your entire LDAP infrastructure ;).
You simply should not load slapo-ppolicy without also loading its schema.
On a given server, obviously. However, ideally, you should be able to load the module on a given server but not have it actually do anything until password policies are actually applied, allowing you to stage the rollout across your servers until the module is loaded everywhere (with no instance where every single server was unavailable).
1. If HA is important you surely have more than one replica and a decent fail-over mechanism.
2. Loading slapo-ppolicy and the schema file in one restart is trivial.
3. If you like more complex things you can add the module and the schema file without restarting the server by using back-config.
Sorry. I don't see the problem.
Ciao, Michael.