On Fri, 13 Dec 2013, Michael Ströder wrote:
On Fri, 13 Dec 2013 18:40:02 +0100 (CET) Christian Kratzer email@example.com wrote
- Allow writes to those edge sites for the purpososes of slapo_ppolicy, slapo_lastbind and password changes.
Note that with OpenLDAP operational attributes set by slapo-ppolicy and slapo-lastbind are not replicated anyway (with some exceptions like pwdChangedTime).
For slapo-ppoolicy I do see pwdFailureTime, pwdAccountLockedTime, pwdChangedTime being replicated which is enough for my use case.
For slapo-lastbind pwdAuthTimestamp is not replicated by default. I have local patches from (ITS#7721) to also replicate authTimestamp.
I am planning on setting olcLastBindPrecision to a large value of 8 hours or more which is also more than enough for the customers requirement of finding users who have not logged in for 6 months.
I am thinking about having MMR write access upto the edges where I would usually have read only slaves in order to have above attributes propagete.