[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: About ppolicy



On Fri, 3 May 2013, Jacques Foucry wrote:

So I had a look to ppolicy and appli this tutorial: http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html

Some things are not clear for me. Did I have to disable shadowAccount on my schema?

If not is shadowLastChange will be updated?

Any shadowAccount concepts and slapo-ppolicy are independent. Your local implementation can consider the usage of one/both/neither in a coordinated fashion, but slapd won't help you in this manner.

Note that slapo-ppolicy operates almost entirely server-side, whereas any shadow-related attributes (i.e. shadowLastChange you mentioned) are updated by LDAP clients (typically a LDAP NSS module or similar). If you're trying to make something consistent across an entire directory, depending on client-specific behavior is difficult unless you have tight client control.

I hope I need to include ppolicy schema on all my replica.

Keeping schema consistent across all your servers is a best practice.