On 02/24/2014 02:33 PM, Jon Detert wrote:
----- Original Message -----
From: "Rich Megginson" <rmeggins@xxxxxxxxxx>
To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Monday, February 24, 2014 2:48:38 PM
Subject: Re: One supplier; two consumers : how to enable replication of Account Lockout policy
attributes?
On 02/24/2014 01:34 PM, Jon Detert wrote:
I want the account lockout policy of all 3 servers to be the same, and the
account lockout status of a given bind-dn to be the same across all 3.
I made the config shown below, but when I locked an account via purposely
failed bind attempts to one of the consumers, neither the supplier nor the
other consumer got informed that the account was locked. Any ideas?
Looks like you are half way there.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html
Are any of these consumers read-only? If so, then you'll have to do
something like chain-on-bind request so that the password policy
attributes are stored on a writable master.
http://www.port389.org/wiki/Howto:ChainOnUpdate
Both consumers are read-only. I'd thought 'consumer' was synonymous with 'read-only replica'. No?
Ok.
So, I'll need to work out the chainOnUpdate to get things to work like I want. Can I arrange so that my 2 ro replicas will only chain updates of Account Policy attributes?
No.
I.e. so that they are ro except w.r.t. Account Policy Attributes?
They are read only already, correct? Right now, if a client tries to
write to a consumer, the client will be sent back an LDAP referral to
the master. With chain on update, the consumer will "pass through" the
operation to the master. Either way, the consumer is read-only with
respect to clients, and only allows updates from the master.
Lastly, there's something about this section:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html#replicating-pwd-policy
that I don't understand. It says that you only have to turn on the passwordIsGlobalPolicy on the 'consumers'. So, I locked an account via my rw supplier (aka 'master'). However, the account lockout policy attrs did not get replicated to my 2 ro consumers. But when I turned on the passwordIsGlobalPolicy on my rw supplier, locked another account via the rw supplier, the attrs were replicated to my 2 ro consumers. So, am I misunderstanding what a 'consumer' is, or is the documentation wrong?
Could be that the docs are wrong.
Thanks,
Jon
The config:
====================
I ran this on the supplier and both consumers:
ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE
dn: cn=config
changetype: modify
add: passwordLockout
passwordLockout: on
-
add: passwordUnlock
passwordUnlock: on
-
add: passwordMaxFailure
passwordMaxFailure: 20
-
add: passwordLockoutDuration
passwordLockoutDuration: 3600
-
add: passwordResetFailureCount
passwordResetFailureCount: 600
BYE
And this on each of the 2 consumers:
ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
BYE
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
