document update delays

5c589493 · anarcat · fc8e823b · 5c589493
Verified Commit 5c589493 authored 4 years ago by anarcat
--- a/tsa/doc/accounts.creole
+++ b/tsa/doc/accounts.creole
@@ -221,6 +221,21 @@ new password. This new password can then be used to
 button), and use the {{{"Change password"}}} fields to create a new LDAP
 password.

+Note that LDAP (and sudo passwords, below) changes are not
+instantaneous: they can take between 5 to 8 minutes to propagate to
+any given host.
+
+More specifically, the password files are generated on the master LDAP
+server every five minutes, starting at the third minute of the hour,
+with a cron schedule like this:
+
+     3,8,13,18,23,28,33,38,43,48,53,58
+
+Then those files are synchronized on a more standard 5 minutes
+schedule to all hosts.
+
+There are also delays involved in the mail loop, of course.
+
 === Host specific passwords / sudo passwords ===

 Your LDAP password can *not* be used to authenticate to `sudo` on
@@ -248,6 +263,9 @@ configured accounts on configured hosts. Consult the output of "sudo
 -l" if you don't know what you may do. (If you don't know, chances are
 you don't need to nor can use sudo.)

+Do mind the delays in LDAP and sudo passwords change, mentioned in the
+previous section.
+
 == <a id="key-rollover">Changing/Updating your OpenPGP key</a> ==

 If you are planning on migrating to a new OpenPGP key and you also want to