ppolicy

[Frank Swasey <Frank.Swasey@uvm.edu>]

We are setting up a new service that is going to actually hold passwords 
in the OpenLDAP database instead of using Kerberos (via sasl and 
saslauthd).  To that end, I'm investigating ppolicy.

However, what I haven't found in the man page (slapo-ppolicy), or the 
Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy 
on the master and the replicas or just the master.

My assumption is that I need to set up ppolicy on the replicas as well 
as the master -- otherwise those pwd* operational attributes are not 
going to be legal on the replica and I'll get in trouble.  I haven't set 
up a test environment with a replica yet -- so, I'm asking here.

I also see in the FAQ that ppolicy only works on OpenLDAP versions 
greater than 2.3 (item 2 of the ppolicy checklist).  So, I'm sensing 
that ppolicy in OpenLDAP v2.3.x is not really completely functional?  Am 
I reading too much into the entry in the FAQ?

--
Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)