--On Monday, January 09, 2017 9:53 AM -0500 Beth Halsema bhalsema@purdue.edu wrote:
Hi Beth,
I'm guessing that ppolicy is writing items that are not supposed to be replicated to the accesslog. This issue (ITS8561) and ITS8444 I think are generally similar items, in that while the accesslog is writing all write operations, replication requires that some write operations not be present in the accesslog. I'll be discussing with the other team members on how best to handle what are somewhat conflicting requirements.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Mon, 9 Jan 2017, Quanah Gibson-Mount wrote:
Quanah, are you suggesting that the ppolicy attributes (i.e. pwdGraceUseTime, pwdFailureTime, etc.) not be replicated?
If so, that would make me sad. :) I believe that their replication is quite beneficial for OpenLDAP clusters toward avoiding:
1. The behavior being inconsistent, depending on which node is used (one node locks out, while the others haven't yet reached that state). 2. A user potentially having pwdMaxFailure * (the number of nodes in the cluster) failures before being locked out.
If not, then I am no longer sad. :)
I appreciate your time and effort.
Thank you, Beth ------------------------------------------------------------------------- Beth A. Halsema - GSEC, GSSP-Java email:bhalsema@purdue.edu Sofware Engineer, Identity & Access Management OVPIT - IT Security and Policy 3495 Kent Avenue, Suite 100 Fax : (765) 464-2233 West Lafayette, IN 47906 Campus Mail: ROSS
openldap-technical@openldap.org