[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: About ppolicy
On Fri, 3 May 2013, Jacques Foucry wrote:
So I had a look to ppolicy and appli this tutorial:
http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html
Some things are not clear for me. Did I have to disable shadowAccount on my
schema?
If not is shadowLastChange will be updated?
Any shadowAccount concepts and slapo-ppolicy are independent. Your local
implementation can consider the usage of one/both/neither in a coordinated
fashion, but slapd won't help you in this manner.
Note that slapo-ppolicy operates almost entirely server-side, whereas any
shadow-related attributes (i.e. shadowLastChange you mentioned) are
updated by LDAP clients (typically a LDAP NSS module or similar). If
you're trying to make something consistent across an entire directory,
depending on client-specific behavior is difficult unless you have tight
client control.
I hope I need to include ppolicy schema on all my replica.
Keeping schema consistent across all your servers is a best practice.
- References:
- About ppolicy
- From: Jacques Foucry <jacques.foucry@novasparks.com>