Hi, Am Mittwoch 21 April 2010 17:50:31 schrieb Frank Swasey: > We are setting up a new service that is going to actually hold > passwords in the OpenLDAP database instead of using Kerberos (via > sasl and saslauthd). To that end, I'm investigating ppolicy. > > However, what I haven't found in the man page (slapo-ppolicy), or the > Admin Guide, or the FAQ-O-Matic is whether I need to configure ppolicy > on the master and the replicas or just the master. > > My assumption is that I need to set up ppolicy on the replicas as well > as the master -- otherwise those pwd* operational attributes are not > going to be legal on the replica and I'll get in trouble. I haven't > set up a test environment with a replica yet -- so, I'm asking here. Yes you have to set it up on every server. > I also see in the FAQ that ppolicy only works on OpenLDAP versions > greater than 2.3 (item 2 of the ppolicy checklist). So, I'm sensing > that ppolicy in OpenLDAP v2.3.x is not really completely functional? Hm, to my knowledge ppolicy was working fine with 2.3.x. But if you are setting up a new service it would be wise to go with the latest stable release IMO.
> Am I reading too much into the entry in the FAQ? Hm, I think that entry it's plain wrong. Unless somebody else vetos I am going to remove that entry. -- Ralf
