Re: [SOLVED] Account lockout for failed logins not working as expected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2018-01-16 at 23:22 +0000, Mitch Patenaude wrote:
> So the problems were 
> 1) I needed to set 'passwordUnlock: on' even though that's supposed
> to be the default value
> 2) In 'cn=config' I needed to set 'passwordIsGlobalPolicy: on' on
> every server to enable replication of lockout params.

I wonder if either of these are bugs. Mark? 

> 
> Thanks to Kevin Kelly for pointing me in the right direction.  The
> relevant documentation can be found here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Serve
> r/8.2/html/Administration_Guide/Managing_the_Password_Policy-
> Configuring_the_Account_Lockout_Policy.html
> 
>   -- Mitch
> 
> On 1/16/18, 1:44 PM, "Mitch Patenaude" <mpatenaude@xxxxxxxxxxxxxx>
> wrote:
> 
>     I'm trying to implement account lockouts for <n> failed login
> attempts in a multi-master environment.
>     
>     I used something like the following ldif to enable to lockouts:
>     dn:
> cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com",cn=nsPwPolicyCont
> ainer,ou=people,dc=example,dc=com
>     changetype: modify
>     add: passwordLockout
>     passwordLockout: on
>     -
>     add: passwordMaxFailure
>     passwordMaxFailure: 5
>     -
>     add: passwordResetFailureCount
>     passwordResetFailureCount: 1800
>     -
>     add: passwordLockoutDuration
>     passwordLockoutDuration: 1800
>     
>     It works (kind of), but there are 2 problems:
>     1) Even though the passwordLockoutDuration is only 30 minutes, it
> locks the user out indefinitely (i.e. accountUnlockTime:
> 19700101000000Z)
>     2) The accountUnlockTime attribute doesn't get replicated, so the
> user is only locked out of 1 of the 4 master servers.
>     
>     Any idea what I am doing wrong?
>     
>     Thanks,
>        -- Mitch Patenaude  mpatenaude@xxxxxxxxxxxxxx  Systems
> engineer
>     
>     
>     _______________________________________________
>     389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>     To unsubscribe send an email to 389-users-leave@lists.fedoraproje
> ct.org
>     
> 
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux