Re: [389-users] Fwd: passwordRetryCount not incrementing past 1

[Eric Gingras]

Yes but not for the lockout testing, I went straight to the individual 
nodes with ldapsearch containing invalid credentials (simplest case).
Eric

On 2013-04-12 13:24, Jim Finn wrote:
Are you using any kind of VIP or load balancer in front of the two 
instances?

On Fri, Apr 12, 2013 at 12:15 PM, Eric Gingras <e...@go2devnull.net> 
wrote:

Hi,

I have not received any input on this one, if you could kindly inform 
if some information is missing I'd like to get this resolved.

Many thanks
Eric

-------- Original Message --------
Subject: passwordRetryCount not incrementing past 1
Date: 2013-04-10 09:17
From: Eric Gingras <e...@go2devnull.net>
To: <389-users@lists.fedoraproject.org>

Hi,

I have an issue with account lockout.

Setup:
2-node in MMR config
389-Directory/1.2.10.26 [1] B2013.023.2027 (from fedorapeople repo)
RHEL 6.4 x86_64

What I did (as per docs), doing this as a subtree or local policy:

dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on

dn: 
cn=cn=nsPwPolicyEntry,ou=People,dc=<REMOVED>,dc=com,cn=nsPwPolicyContainer,ou=People,dc=<REMOVED>,dc=com
changetype: modify
replace: passwordExp
passwordExp: on
-
replace: passwordMaxAge
passwordMaxAge: 7862400
-
replace: passwordHistory
passwordHistory: on
-
replace: passwordInHistory
passwordInHistory: 3
-
replace: passwordCheckSyntax
passwordCheckSyntax: on
-
replace: passwordMinDigits
passwordMinDigits: 1
-
replace: passwordMinSpecials
passwordMinSpecials: 1
-
replace: passwordMinLowers
passwordMinLowers: 1
-
replace: passwordMinUppers
passwordMinUppers: 1
-
replace: passwordMinLength
passwordMinLength: 8
-
replace: passwordStorageScheme
passwordStorageScheme: SSHA512
-
replace: passwordLockout
passwordLockout: on
-
add: passwordMaxFailure
passwordMaxFailure: 3
-
add: passwordUnlock
passwordUnlock: off

I also need to track loginTime (no time-based lockout), again as per 
doc:

dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginarg0
nsslapd-pluginarg0: cn=config,cn=Account Policy 
Plugin,cn=plugins,cn=config

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: alwaysrecordlogin
alwaysrecordlogin: yes
-
add: stateattrname
stateattrname: lastLoginTime
-
add: altstateattrname
altstateattrname: createTimestamp
-
add: specattrname
specattrname: acctPolicySubentry
-
add: limitattrname
limitattrname: accountInactivityLimit

Restarted:

service dirsrv restart both nodes

What I get (after purposely trying to bind with wrong pwd many 
times):

No lockout, passwordRetryCount stays at 1

dn: uid=<REMOVED>,ou=People,dc=<REMOVED>,dc=com
passwordRetryCount: 1
retryCountResetTime: 20130410130146Z
lastLoginTime: 20130409193943Z
passwordExpirationTime: 20130709182434Z
userPassword:: <REMOVED>
mail: <REMOVED>
sn: <REMOVED>
preferredLanguage: en
cn: <REMOVED>
uid: <REMOVED>
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: <REMOVED>

I'm freshly out of ideas, thanks for helping.

Eric
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users [2]



Links:
------
[1] http://1.2.10.26
[2] https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users