From 5c589493478590841dae4aeb864b1e7059d6d634 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Tue, 26 May 2020 10:59:15 -0400
Subject: [PATCH] document update delays

---
 tsa/doc/accounts.creole | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tsa/doc/accounts.creole b/tsa/doc/accounts.creole
index 92b9e854..fff784c2 100644
--- a/tsa/doc/accounts.creole
+++ b/tsa/doc/accounts.creole
@@ -221,6 +221,21 @@ new password. This new password can then be used to
 button), and use the {{{"Change password"}}} fields to create a new LDAP
 password.
 
+Note that LDAP (and sudo passwords, below) changes are not
+instantaneous: they can take between 5 to 8 minutes to propagate to
+any given host.
+
+More specifically, the password files are generated on the master LDAP
+server every five minutes, starting at the third minute of the hour,
+with a cron schedule like this:
+
+     3,8,13,18,23,28,33,38,43,48,53,58
+
+Then those files are synchronized on a more standard 5 minutes
+schedule to all hosts.
+
+There are also delays involved in the mail loop, of course.
+
 === Host specific passwords / sudo passwords ===
 
 Your LDAP password can *not* be used to authenticate to `sudo` on
@@ -248,6 +263,9 @@ configured accounts on configured hosts. Consult the output of "sudo
 -l" if you don't know what you may do. (If you don't know, chances are
 you don't need to nor can use sudo.)
 
+Do mind the delays in LDAP and sudo passwords change, mentioned in the
+previous section.
+
 == <a id="key-rollover">Changing/Updating your OpenPGP key</a> ==
 
 If you are planning on migrating to a new OpenPGP key and you also want to
-- 
GitLab