[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy

To: openldap-software@openldap.org
Subject: Re: ppolicy
From: Ralf Haferkamp <rhafer@suse.de>
Date: Thu, 22 Apr 2010 16:57:55 +0200
In-reply-to: <4BCF1EC7.5010105@uvm.edu>
References: <4BCF1EC7.5010105@uvm.edu>
User-agent: KMail/1.13.2 (Linux/2.6.34-rc3-3-default; KDE/4.4.2; x86_64; ; )

Hi,

Am Mittwoch 21 April 2010 17:50:31 schrieb Frank Swasey:
> We are setting up a new service that is going to actually hold
> passwords in the OpenLDAP database instead of using Kerberos (via
> sasl and saslauthd).  To that end, I'm investigating ppolicy.
> 
> However, what I haven't found in the man page (slapo-ppolicy), or the
> Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy
> on the master and the replicas or just the master.
> 
> My assumption is that I need to set up ppolicy on the replicas as well
> as the master -- otherwise those pwd* operational attributes are not
> going to be legal on the replica and I'll get in trouble.  I haven't
> set up a test environment with a replica yet -- so, I'm asking here.
Yes you have to set it up on every server.
 
> I also see in the FAQ that ppolicy only works on OpenLDAP versions
> greater than 2.3 (item 2 of the ppolicy checklist).  So, I'm sensing
> that ppolicy in OpenLDAP v2.3.x is not really completely functional?
Hm, to my knowledge ppolicy was working fine with 2.3.x. But if you are 
setting up a new service it would be wise to go with the latest stable 
release IMO.

> Am I reading too much into the entry in the FAQ?
Hm, I think that entry it's plain wrong. Unless somebody else vetos I am 
going to remove that entry.

-- 
Ralf

References:
- ppolicy
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

Prev by Date: too many open files
Next by Date: RE: Exception handling!!!
Index(es):
- Chronological
- Thread