On 02/24/2014 01:34 PM, Jon Detert wrote:
I want the account lockout policy of all 3 servers to be the same, and the account lockout status of a given bind-dn to be the same across all 3.
I made the config shown below, but when I locked an account via purposely failed bind attempts to one of the consumers, neither the supplier nor the other consumer got informed that the account was locked. Any ideas?
Looks like you are half way there.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html
Are any of these consumers read-only? If so, then you'll have to do
something like chain-on-bind request so that the password policy
attributes are stored on a writable master.
http://www.port389.org/wiki/Howto:ChainOnUpdate
Thanks
The config:
====================
I ran this on the supplier and both consumers:
ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE
dn: cn=config
changetype: modify
add: passwordLockout
passwordLockout: on
-
add: passwordUnlock
passwordUnlock: on
-
add: passwordMaxFailure
passwordMaxFailure: 20
-
add: passwordLockoutDuration
passwordLockoutDuration: 3600
-
add: passwordResetFailureCount
passwordResetFailureCount: 600
BYE
And this on each of the 2 consumers:
ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
BYE
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
