--On Thursday, January 12, 2017 10:20 AM -0500 Beth Halsema bhalsema@purdue.edu wrote:
Quanah, are you suggesting that the ppolicy attributes (i.e. pwdGraceUseTime, pwdFailureTime, etc.) not be replicated?
Hi Beth,
This is clearly noted in the slapo-ppolicy(5) man page:
Note that the current IETF Password Policy proposal does not define how these operational attributes are expected to behave in a replication environment. In general, authentication attempts on a slave server only affect the copy of the operational attributes on that slave and will not affect any attributes for a user's entry on the master server. Operational attribute changes resulting from authentication attempts on a master server will usually replicate to the slaves (and also overwrite any changes that originated on the slave). These behaviors are not guaranteed and are subject to change when a formal specification emerges.
The correct fix is to modify your syncrepl configuration so that those attributes are ignored by the syncrepl client. There is no patch to the code necessary.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah,
On 12/01/17 16:06, Quanah Gibson-Mount wrote:
The correct fix is to modify your syncrepl configuration so that those attributes are ignored by the syncrepl client. There is no patch to the code necessary.
Possibly a dumb question but do you have a worked example of this? The usual "get-all" stanza for this would "*, +" and as far as I'm aware you can't subtract attributes from the list returned i.e. search for all attributes *except* pwdFailureTime. Does this mean you would need to list all the operational attributes you do want replicated (and isn't there a risk that you could break things if you were to miss out the wrong ones).
My thinking is that this would be a suitable workaround with the issue I've been experiencing with the memberOf attribute- if it isn't picked up by syncrepl then each server will (correctly) maintain it's own memberOf attributes individually.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Mark Cairney wrote:
On 12/01/17 16:06, Quanah Gibson-Mount wrote:
The correct fix is to modify your syncrepl configuration so that those attributes are ignored by the syncrepl client. There is no patch to the code necessary.
Possibly a dumb question but do you have a worked example of this? The usual "get-all" stanza for this would "*, +" and as far as I'm aware you can't subtract attributes from the list returned i.e. search for all attributes *except* pwdFailureTime.
You could try using option exattrs with syncrepl statement, see slapd.conf(5).
Ciao, Michael.
On 12/01/2017 22:27, Michael Ströder wrote:
You could try using option exattrs with syncrepl statement, see slapd.conf(5).
Ciao, Michael.
Awesome, sounds exactly what I was looking for!
Kind regards,
Mark
openldap-technical@openldap.org