Hello Aaron. Two separate things:
I may have misunderstood your configuration, but nothing is replicated
from a consumer to a master unless the consumer is actually configured
as a hub with an agreement back to the supplier. You can use
passthrough authentication trickery to cause binds to be performed at
the master if you don't want bi-directional replication.
Also, those three attributes (passwordRetryCount, retryCountResetTime,
accountUnlockTime) are special and will not replicate in any case unless
you set passwordIsGlobalPolicy to on in cn=config.
Ulf
Bliss, Aaron wrote:
P.S. Normal replication is happening, as well as typical referrals from
consumer to supplier (i.e. password changes). Any help with this will
be much appreciated, as this is a rather huge problem right now. Thanks
again.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Bliss,
Aaron
Sent: Tuesday, February 07, 2006 5:11 PM
To: General discussion list for the Fedora Directory server project.
Subject: Account lockout counters not
replicating;how to unlock users?
Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not
sure why, but for some reason I'm not seeing password retry counters
being replicated from the consumer to the supplier; here is what I've
seen (I have fds setup to lock accounts after 5 bad password attempts,
reset failure count after 15 minutes):
-if a user types their password incorrectly on a server that binds first
to a consumer, then their password retry count increments only on the
consumer -if a user successfully binds to the server, then their
password retry count does get reset This is a problem for a couple of
reasons. If an account becomes locked out because of bad password
attempts, I've tried deleting the attributes of passwordRetryCount and
accountUnlockTime
(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the
supplier, however for some reason this is not replicated to the consumer
(is this an indication of a different problem?) this is a problem as I
have some of my linux servers to look to the supplier first for
authentication, and then the consumer second, and visa versa for load
balancing. According to fds documentation, account lockout counters may
not work as expected in a multi master environment
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864
46 ; this is one of the reasons that I opted for a single master
environment; please advise and thanks. Given the issues that I'm
having, what is the best way to unlock accounts that have been locked
due to bad password attempts?
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain
privileged or confidential information. If the reader of this message
is not the intended recipient or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that
dissemination, distribution or copying of this information is
prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users