Brodie, Kent wrote:
If you have password policy on, the directory server will make modifications to users' entries when they use password authentication. You may or may not want these to be replicated.OK. Further research-- it appears I have an issue with "passwordretrycount" not replicating-- which apparently (did some searches..) is a problem others have had, when the directory services is set up in a replicating fashion (multi-master in my case). Has to do with global password policy settings, and what is allowed to replicate-- or not. I found the offending entry (passwordretrycount existed for the user on one node, not the other) and deleted it. My question now is: What's the correct solution to this? Forumpostings I've found thus far are unclear.Any ideas appreciated! --Kent PS: Thanks for the tons of help, I learned a lot today on debugging this stuff for future issues...
For example, if you have password retry counting with lockout enabled - if this policy is local only, a hacker could attempt to hack an account N times on master 1, N times on master 2, etc. So instead of the password retry count being N, it's really M x N.
If you care about this, you can enable these password policy attributes to be replicated and accepted on the consumer, by turning on the passwordIsGlobalPolicy in cn=config on each consumer.
If you do not want these attributes replicated at all, modify your replication agreement to exclude the following attributes from being replicated:
retryCountResetTime passwordRetryCount accountUnlockTime
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
