The lack of responses indicates that people either do not use ppolicy or once used, they never remove it.
For future reference here's the procedure that I've worked up:
shutdown slapd on all MMR members slapcat the database edit the database to remove all "pwd*" attributes and all entries that are pwd* objectClass edit the slapd.conf file (if you are using slapd.d you are on your own) replace the database (delete, and slapadd) Empty the accesslog database if you are using that start slapd
Copy your edited database to the rest of your servers and use the tried and true "nuke & repave" process to delete the existing database, edit the config, slapadd the edited database
- Frank
On Apr 16, 2018, at 11:09, Frank Swasey Frank.Swasey@uvm.edu wrote:
Is there a recommended way to discontinue the use of the ppolicy overlay?
The only way I've found that works is to stop the ldap server and using slapcat/edit/slapadd eradicate all the ppolicy attributes (combined with removing the ppolicy overlay and schema from the slapd.conf file).
I'm attempting this on RHEL7 with OpenLDAP 2.4.46 (local built).
Thanks,
- Frank
--On Thursday, April 19, 2018 1:12 PM +0000 Frank Swasey Frank.Swasey@uvm.edu wrote:
edit the slapd.conf file (if you are using slapd.d you are on your own)
It's not that different for slapd.d. You'd want to slapcat it, remove the ppolicy overlay bits, and slapadd it back in. ;)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Thu, Apr 19, 2018 at 5:12 AM, Frank Swasey Frank.Swasey@uvm.edu wrote:
For future reference here's the procedure that I've worked up:
shutdown slapd on all MMR members slapcat the database edit the database to remove all "pwd*" attributes and all entries that are pwd* objectClass edit the slapd.conf file (if you are using slapd.d you are on your own) replace the database (delete, and slapadd) Empty the accesslog database if you are using that start slapd
Copy your edited database to the rest of your servers and use the tried and true "nuke & repave" process to delete the existing database, edit the config, slapadd the edited database
Frank,
Thank you for outlining this process. Does anyone have a preferred "hand holding" walkthrough they could recommend for this type of procedure, for those of us who are not as confident in our OpenLDAP prowess?
Cheers, -danny
openldap-technical@openldap.org
-
Daniel Howard -
Frank Swasey -
Quanah Gibson-Mount