On 01/16/2018 07:28 PM, William Brown wrote: > On Tue, 2018-01-16 at 23:22 +0000, Mitch Patenaude wrote: >> So the problems were >> 1) I needed to set 'passwordUnlock: on' even though that's supposed >> to be the default value >> 2) In 'cn=config' I needed to set 'passwordIsGlobalPolicy: on' on >> every server to enable replication of lockout params. > I wonder if either of these are bugs. Mark? passwordIsGlobalPolicy is what you need to replicate these attributes - not a bug. passwordUnlock is supposed to be "on" by default, but... If you use a subtree/user policy (aka local policy) the global policy default value of "on" is NOT picked up. That is a bug, and should of been fixed in https://pagure.io/389-ds-base/issue/49370, but in the patch passwordUnlock is not set to a default. I'll fix this today... > >> Thanks to Kevin Kelly for pointing me in the right direction. The >> relevant documentation can be found here: >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Serve >> r/8.2/html/Administration_Guide/Managing_the_Password_Policy- >> Configuring_the_Account_Lockout_Policy.html >> >> -- Mitch >> >> On 1/16/18, 1:44 PM, "Mitch Patenaude" <mpatenaude@xxxxxxxxxxxxxx> >> wrote: >> >> I'm trying to implement account lockouts for <n> failed login >> attempts in a multi-master environment. >> >> I used something like the following ldif to enable to lockouts: >> dn: >> cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com",cn=nsPwPolicyCont >> ainer,ou=people,dc=example,dc=com >> changetype: modify >> add: passwordLockout >> passwordLockout: on >> - >> add: passwordMaxFailure >> passwordMaxFailure: 5 >> - >> add: passwordResetFailureCount >> passwordResetFailureCount: 1800 >> - >> add: passwordLockoutDuration >> passwordLockoutDuration: 1800 >> >> It works (kind of), but there are 2 problems: >> 1) Even though the passwordLockoutDuration is only 30 minutes, it >> locks the user out indefinitely (i.e. accountUnlockTime: >> 19700101000000Z) >> 2) The accountUnlockTime attribute doesn't get replicated, so the >> user is only locked out of 1 of the 4 master servers. >> >> Any idea what I am doing wrong? >> >> Thanks, >> -- Mitch Patenaude mpatenaude@xxxxxxxxxxxxxx Systems >> engineer >> >> >> _______________________________________________ >> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to 389-users-leave@lists.fedoraproje >> ct.org >> >> >> _______________________________________________ >> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o >> rg _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
