On 05/20/2014 11:43 AM, Dustin Rice wrote:
Hello there, so I've been looking into setting up some account lockout
policies in my enviroment. I have 2 multimaster 389ds servers with
some 389ds consumer replicas. I've enable passwordIsGlobalPolicy in
cn=config on all servers.
So if an account gets locked out when binding to a master, it is
indeed locked out from the replicas. This functionality doesn't seem
to flow in the opposite direction. If I get locked out on replica1, I
can happily bind to replica2.
Since replication flows "down" from master to consumer, I don't think
there is a way to get the lockout information passed "up" to the
masters then back "down" to peer consumers, but figured I'd ask the list.
So, is there a way to pass account lockout information from consumer
replicas back to masters? The end goal here is that if an account is
locked out for too many failed attempts it is globally locked out.
You would have to set up something like chain on update for bind requests
http://www.port389.org/wiki/Howto:ChainOnUpdate
Bind requests would be chained (pass through) to a master, and the
actual updating of the attempt/lockout attributes would be done on a
master, then replicated throughout your topology.
Thanks!
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
