Quanah Gibson-Mount quanah@zimbra.com schrieb am 15.04.2016 um 03:40 in
Nachricht <92BBFC2841F84321102D00F6@[192.168.1.19]>:
--On Thursday, April 14, 2016 9:25 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hello!
I have configured accesslog to log all changes to an LDAP server, and that seems to work for months. Recently I noticed that that there wee no new entries for more than a week. Usually there are several entries per day, because with password policy every bad login attempt is logged. As we have three multi-master servers, I wonder whether changes made to other servers and replicated to the local server will be logged by accesslog also. Are the password policy updates (which are somewhat special) also replicated to all servers?
Have you read over the slapo-ppolicy(5) man page?
You answered a question with a question; from what I read it should be replicated in a MMR environment: -- Note that the current IETF Password Policy proposal does not define how these operational attributes are expected to behave in a replication environment. In general, authentication attempts on a slave server only affect the copy of the operational attributes on that slave and will not affect any attributes for a user's entry on the master server. Operational attribute changes resulting from authentication attempts on a master server will usually replicate to the slaves (and also over- write any changes that originated on the slave). These behaviors are not guaranteed and are subject to change when a formal specification emerges. --
From my understanding changes to one master shopuld be replicated to other masters.
Open is the question whether there is any special treatment of ppolicy entries for accesslog.
Regards, Ulrich
<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&a... 0&manpath=OpenLDAP+2.4-Release&format=html>
The "OPERATIONAL ATTRIBUTES" section is interesting. I can't tell how it's supposed to operate in an MMR environment.
So maybe read the manual also ;-)
Ulrich