> >>> > >> Are you using Chain On Update for Binds? > >> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate > >> > > > > We are indeed, we used that howto to set it up. Reading it now again it > does say it will use the chaining backend for binds. Why is that? Why is that? I don't know . According the the wiki http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate the consumer will use the chaining backend when I do bind/write requests. I can understand why you would want to "centrally" manage login attempts but would it not better to handle login attempts locally on the consumer and then only if a login attempts fail and you need to do a write then write to the master. I can imagine though that with this approach you can potentially have more auth attempts than is allowed for. > In order to have global password policy. Let's say for example that you have > password policy which states accounts are locked out after 3 unsuccessful > login attempts. If you have 5 directory servers, each with local password > policy, that effectively means an attacker has 15 tries to guess the password > instead of 3. > > If we replicate changes down to the consumer how can the data be > "fresher" than the consumer? My sentence was less than ideal. If changes get replicated down then I agree data everywhere should be equally fresh within the time constraints it takes to replicated fully everywhere. Regards ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
