Hello Aaron. Two separate things: I may have misunderstood your configuration, but nothing is replicated from a consumer to a master unless the consumer is actually configured as a hub with an agreement back to the supplier. You can use passthrough authentication trickery to cause binds to be performed at the master if you don't want bi-directional replication. Also, those three attributes (passwordRetryCount, retryCountResetTime, accountUnlockTime) are special and will not replicate in any case unless you set passwordIsGlobalPolicy to on in cn=config. Ulf Bliss, Aaron wrote: >P.S. Normal replication is happening, as well as typical referrals from >consumer to supplier (i.e. password changes). Any help with this will >be much appreciated, as this is a rather huge problem right now. Thanks >again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, >Aaron >Sent: Tuesday, February 07, 2006 5:11 PM >To: General discussion list for the Fedora Directory server project. >Subject: Account lockout counters not >replicating;how to unlock users? > >Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not >sure why, but for some reason I'm not seeing password retry counters >being replicated from the consumer to the supplier; here is what I've >seen (I have fds setup to lock accounts after 5 bad password attempts, >reset failure count after 15 minutes): >-if a user types their password incorrectly on a server that binds first >to a consumer, then their password retry count increments only on the >consumer -if a user successfully binds to the server, then their >password retry count does get reset This is a problem for a couple of >reasons. If an account becomes locked out because of bad password >attempts, I've tried deleting the attributes of passwordRetryCount and >accountUnlockTime >(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the >supplier, however for some reason this is not replicated to the consumer >(is this an indication of a different problem?) this is a problem as I >have some of my linux servers to look to the supplier first for >authentication, and then the consumer second, and visa versa for load >balancing. According to fds documentation, account lockout counters may >not work as expected in a multi master environment >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864 >46 ; this is one of the reasons that I opted for a single master >environment; please advise and thanks. Given the issues that I'm >having, what is the best way to unlock accounts that have been locked >due to bad password attempts? > >Aaron > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the >exclusive use of the individual or entity named above and may contain >privileged or confidential information. If the reader of this message >is not the intended recipient or the employee or agent responsible to >deliver it to the intended recipient, you are hereby notified that >dissemination, distribution or copying of this information is >prohibited. If you have received this communication in error, please >notify the sender immediately by telephone and destroy the copies you >received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >
