On Tuesday 16 June 2009 10:45:00 Jordi Espasa Clofent wrote:
Hi,
According to http://www.openldap.org/lists/openldap-software/200701/msg00149.html, the "In general, ppolicy related state values are not replicated; each replica is on its own as far as state-related attributes in enforcing password policy."
¿Is it means that of I've one provider and two consumers, the changes made in ppolicy statements in provider are not sync againt the consumers as other kind entries/attributes are?
I need to know because of I've change my userPassword in provider and:
- I can use without problems the new password using the provider
- I cannot use the new password against the two consumers.
userPassword is *not* a "state-related attribute", please see 'man slapo- ppolicy'.
Note, that what this does mean is that you may be locked out on one slave, but not the others (and maybe not the provider), and simple reset-ing the password on the master may not be sufficient to unlock the account on the slaves, and the pwdAccountFailureTime attributes may not be cleared, meaning one more failed authentication may lock the account on a slave (especially in a load-balanced environment).
Regards, Buchan