How to replicate password lockout attributes from a consumer or hub to a master(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello.

I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.



I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers.

If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters.

passwordIsGlobalPolicy: on is set on all masters, hubs and consumers

Password policy attributes I expect to replicate:

passwordRetryCount
accountUnlockTime
retryCountResetTime

I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag.

The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error.

This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer?

dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on

adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)

Hub or Consumer

Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:

dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config    
objectclass: top    
objectclass: extensibleObject    
objectclass: nsBackendInstance    
cn: chainbe1    
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
                                                                          # of ldap for secure connections -
                                                                          # requires the secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
nsmultiplexorcredentials: password    
nsCheckLocalACI: on    

Any help would be greatly appreciated.

Thanks
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux