Re: One supplier; two consumers : how to enable replication of Account Lockout policy attributes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message -----
> From: "Rich Megginson" <rmeggins@xxxxxxxxxx>
> To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Monday, February 24, 2014 2:48:38 PM
> Subject: Re:  One supplier; two consumers : how to enable replication of Account Lockout policy
> attributes?
> 
> On 02/24/2014 01:34 PM, Jon Detert wrote:
> > I want the account lockout policy of all 3 servers to be the same, and the
> > account lockout status of a given bind-dn to be the same across all 3.
> >
> > I made the config shown below, but when I locked an account via purposely
> > failed bind attempts to one of the consumers, neither the supplier nor the
> > other consumer got informed that the account was locked.  Any ideas?
> 
> Looks like you are half way there.
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html
>
> Are any of these consumers read-only?  If so, then you'll have to do
> something like chain-on-bind request so that the password policy
> attributes are stored on a writable master.
> http://www.port389.org/wiki/Howto:ChainOnUpdate

Both consumers are read-only.  I'd thought 'consumer' was synonymous with 'read-only replica'.  No?

So, I'll need to work out the chainOnUpdate to get things to work like I want.  Can I arrange so that my 2 ro replicas will only chain updates of Account Policy attributes?  I.e. so that they are ro except w.r.t. Account Policy Attributes?

Lastly, there's something about this section:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html#replicating-pwd-policy
that I don't understand.  It says that you only have to turn on the passwordIsGlobalPolicy on the 'consumers'.  So, I locked an account via my rw supplier (aka 'master').  However, the account lockout policy attrs did not get replicated to my 2 ro consumers.  But when I turned on the passwordIsGlobalPolicy on my rw supplier, locked another account via the rw supplier, the attrs were replicated to my 2 ro consumers.  So, am I misunderstanding what a 'consumer' is, or is the documentation wrong?

Thanks,

Jon

> > The config:
> > ====================
> >
> > I ran this on the supplier and both consumers:
> > ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE
> > dn: cn=config
> > changetype: modify
> > add: passwordLockout
> > passwordLockout: on
> > -
> > add: passwordUnlock
> > passwordUnlock: on
> > -
> > add: passwordMaxFailure
> > passwordMaxFailure: 20
> > -
> > add: passwordLockoutDuration
> > passwordLockoutDuration: 3600
> > -
> > add: passwordResetFailureCount
> > passwordResetFailureCount: 600
> >
> > BYE
> >
> > And this on each of the 2 consumers:
> >
> > ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE
> > dn: cn=config
> > changetype: modify
> > replace: passwordIsGlobalPolicy
> > passwordIsGlobalPolicy: on
> > BYE
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users





[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux