You need to enable global password policy. You need to set the attribute "passwordIsGlobalPolicy" in cn=config to the value "1". Bryan Wann wrote: > Hello, > > I am trying to set up a global account lockout policy. In the > Deployment Guide, it says "Account lockout is enforced on the > replicas" and "The password policy information ... such as password > age, the account lockout counter ... are all replicated." When I > trigger the lockout on an account, I see the accountUnlockTime > attribute get added to the account's directory entry. > > From what I make of the text in the Deployment Guide, > accountUnlockTime should be replicated to my other master and > corresponding consumers, thus locking out the account everywhere. > This isn't what I'm seeing; I am only locked out of the master on > which it was originally triggered, I can still bind using the account > on the other master and consumers. > > I have applied the same password and lockout policy to all of my > servers, so the configuration should be consistent. Do I have the > wrong expectations on how this should work? Does "enforced on the > replicas" simply mean the replicas as an independant server will > perform lockouts? Anyone been able to solve this one? > > --bryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050818/39e0cf1a/attachment.bin
