Hello. I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.
I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers. If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters. passwordIsGlobalPolicy: on is set on all masters, hubs and consumers Password policy attributes I expect to replicate: passwordRetryCount accountUnlockTime retryCountResetTime I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag. https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html 389 Directory Server - Howto:ChainOnUpdate<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html> Introduction. The usual deployment for a large replication topology will have the client applications reading from hubs or dedicated consumers in order to spread out the load and off-load search request processing from the masters. directory.fedoraproject.org The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error. This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer? dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance cn: chainlab nsslapd-suffix: dc=domain,dc=com nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389 nsmultiplexorbinddn: uid=repluser,cn=config nsmultiplexorcredentials: mypassword nsCheckLocalACI: on adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config" ldap_add: Server is unwilling to perform (53) Hub or Consumer Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer: dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance cn: chainbe1 nsslapd-suffix: <suffix to replicate> nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead # of ldap for secure connections - # requires the secure port nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier nsmultiplexorcredentials: password nsCheckLocalACI: on Any help would be greatly appreciated. Thanks
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
