Are you using any kind of VIP or load balancer in front of the two instances?
On Fri, Apr 12, 2013 at 12:15 PM, Eric Gingras <[email protected]> wrote: > Hi, > > I have not received any input on this one, if you could kindly inform if > some information is missing I'd like to get this resolved. > > Many thanks > Eric > > > > -------- Original Message -------- > Subject: passwordRetryCount not incrementing past 1 > Date: 2013-04-10 09:17 > From: Eric Gingras <[email protected]> > To: <389-users@lists.**fedoraproject.org<[email protected]> > > > > Hi, > > I have an issue with account lockout. > > Setup: > 2-node in MMR config > 389-Directory/1.2.10.26 B2013.023.2027 (from fedorapeople repo) > RHEL 6.4 x86_64 > > What I did (as per docs), doing this as a subtree or local policy: > > dn: cn=config > changetype: modify > replace: passwordIsGlobalPolicy > passwordIsGlobalPolicy: on > > dn: cn=cn\=nsPwPolicyEntry\,ou\=**People\,dc\=<REMOVED>\,dc\=** > com,cn=nsPwPolicyContainer,ou=**People,dc=<REMOVED>,dc=com > changetype: modify > replace: passwordExp > passwordExp: on > - > replace: passwordMaxAge > passwordMaxAge: 7862400 > - > replace: passwordHistory > passwordHistory: on > - > replace: passwordInHistory > passwordInHistory: 3 > - > replace: passwordCheckSyntax > passwordCheckSyntax: on > - > replace: passwordMinDigits > passwordMinDigits: 1 > - > replace: passwordMinSpecials > passwordMinSpecials: 1 > - > replace: passwordMinLowers > passwordMinLowers: 1 > - > replace: passwordMinUppers > passwordMinUppers: 1 > - > replace: passwordMinLength > passwordMinLength: 8 > - > replace: passwordStorageScheme > passwordStorageScheme: SSHA512 > - > replace: passwordLockout > passwordLockout: on > - > add: passwordMaxFailure > passwordMaxFailure: 3 > - > add: passwordUnlock > passwordUnlock: off > > I also need to track loginTime (no time-based lockout), again as per doc: > > dn: cn=Account Policy Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > > dn: cn=Account Policy Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginarg0 > nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config > > dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config > changetype: modify > replace: alwaysrecordlogin > alwaysrecordlogin: yes > - > add: stateattrname > stateattrname: lastLoginTime > - > add: altstateattrname > altstateattrname: createTimestamp > - > add: specattrname > specattrname: acctPolicySubentry > - > add: limitattrname > limitattrname: accountInactivityLimit > > Restarted: > > service dirsrv restart both nodes > > What I get (after purposely trying to bind with wrong pwd many times): > > No lockout, passwordRetryCount stays at 1 > > dn: uid=<REMOVED>,ou=People,dc=<**REMOVED>,dc=com > passwordRetryCount: 1 > retryCountResetTime: 20130410130146Z > lastLoginTime: 20130409193943Z > passwordExpirationTime: 20130709182434Z > userPassword:: <REMOVED> > mail: <REMOVED> > sn: <REMOVED> > preferredLanguage: en > cn: <REMOVED> > uid: <REMOVED> > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: top > givenName: <REMOVED> > > I'm freshly out of ideas, thanks for helping. > > Eric > -- > 389 users mailing list > [email protected].**org <[email protected]> > https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users> >
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
