----- Original Message ----- > From: "Rich Megginson" <rmeggins@xxxxxxxxxx> > To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Monday, February 24, 2014 2:48:38 PM > Subject: Re: One supplier; two consumers : how to enable replication of Account Lockout policy > attributes? > > On 02/24/2014 01:34 PM, Jon Detert wrote: > > I want the account lockout policy of all 3 servers to be the same, and the > > account lockout status of a given bind-dn to be the same across all 3. > > > > I made the config shown below, but when I locked an account via purposely > > failed bind attempts to one of the consumers, neither the supplier nor the > > other consumer got informed that the account was locked. Any ideas? > > Looks like you are half way there. > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html > > Are any of these consumers read-only? If so, then you'll have to do > something like chain-on-bind request so that the password policy > attributes are stored on a writable master. > http://www.port389.org/wiki/Howto:ChainOnUpdate Both consumers are read-only. I'd thought 'consumer' was synonymous with 'read-only replica'. No? So, I'll need to work out the chainOnUpdate to get things to work like I want. Can I arrange so that my 2 ro replicas will only chain updates of Account Policy attributes? I.e. so that they are ro except w.r.t. Account Policy Attributes? Lastly, there's something about this section: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html#replicating-pwd-policy that I don't understand. It says that you only have to turn on the passwordIsGlobalPolicy on the 'consumers'. So, I locked an account via my rw supplier (aka 'master'). However, the account lockout policy attrs did not get replicated to my 2 ro consumers. But when I turned on the passwordIsGlobalPolicy on my rw supplier, locked another account via the rw supplier, the attrs were replicated to my 2 ro consumers. So, am I misunderstanding what a 'consumer' is, or is the documentation wrong? Thanks, Jon > > The config: > > ==================== > > > > I ran this on the supplier and both consumers: > > ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE > > dn: cn=config > > changetype: modify > > add: passwordLockout > > passwordLockout: on > > - > > add: passwordUnlock > > passwordUnlock: on > > - > > add: passwordMaxFailure > > passwordMaxFailure: 20 > > - > > add: passwordLockoutDuration > > passwordLockoutDuration: 3600 > > - > > add: passwordResetFailureCount > > passwordResetFailureCount: 600 > > > > BYE > > > > And this on each of the 2 consumers: > > > > ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE > > dn: cn=config > > changetype: modify > > replace: passwordIsGlobalPolicy > > passwordIsGlobalPolicy: on > > BYE -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
