.\" $OpenLDAP$
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME
-slapo-ppolicy \- Password Policy overlay
+slapo-ppolicy \- Password Policy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.SH OPERATIONAL ATTRIBUTES
.P
The operational attributes used by the
-.B passwd_policy
+.B ppolicy
module are stored in the user's entry. Most of these attributes
are not intended to be changed directly by users; they are there
to track user activity. They have been detailed here so that
.B ppolicy
module.
+.P
+Note that the current IETF Password Policy proposal does not define
+how these operational attributes are expected to behave in a
+replication environment. In general, authentication attempts on
+a slave server only affect the copy of the operational attributes
+on that slave and will not affect any attributes for
+a user's entry on the master server. Operational attribute changes
+resulting from authentication attempts on a master server
+will usually replicate to the slaves (and also overwrite
+any changes that originated on the slave).
+These behaviors are not guaranteed and are subject to change
+when a formal specification emerges.
+
.B userPassword
.P
The
-.b userPassword
+.B userPassword
attribute is not strictly part of the
.B ppolicy
module. It is, however, the attribute that is tracked and controlled
If the account has been locked, the password may no longer be used to
authenticate the user to the directory. If
.B pwdAccountLockedTime
-is set to zero (0), the user's account has been permanently locked
+is set to 000001010000Z, the user's account has been permanently locked
and may only be unlocked by an administrator.
.LP
.RS 4
projects / openldap / blobdiff