So the problems were 1) I needed to set 'passwordUnlock: on' even though that's supposed to be the default value 2) In 'cn=config' I needed to set 'passwordIsGlobalPolicy: on' on every server to enable replication of lockout params.
Thanks to Kevin Kelly for pointing me in the right direction. The relevant documentation can be found here: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_the_Password_Policy-Configuring_the_Account_Lockout_Policy.html -- Mitch On 1/16/18, 1:44 PM, "Mitch Patenaude" <mpatena...@shutterfly.com> wrote: I'm trying to implement account lockouts for <n> failed login attempts in a multi-master environment. I used something like the following ldif to enable to lockouts: dn: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com",cn=nsPwPolicyContainer,ou=people,dc=example,dc=com changetype: modify add: passwordLockout passwordLockout: on - add: passwordMaxFailure passwordMaxFailure: 5 - add: passwordResetFailureCount passwordResetFailureCount: 1800 - add: passwordLockoutDuration passwordLockoutDuration: 1800 It works (kind of), but there are 2 problems: 1) Even though the passwordLockoutDuration is only 30 minutes, it locks the user out indefinitely (i.e. accountUnlockTime: 19700101000000Z) 2) The accountUnlockTime attribute doesn't get replicated, so the user is only locked out of 1 of the 4 master servers. Any idea what I am doing wrong? Thanks, -- Mitch Patenaude mpatena...@shutterfly.com Systems engineer _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
