On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Kat via FreeIPA-users wrote:
> > Hi,
> >
> > If I have a simple pair of FreeIPA servers and one is showing different
> > failed auth times for a user -- is this a good indication they are out
> > of sync? Should I not see same failures on both?
> The lockout attributes are per-server (not replicated).
> rob
Is there a way to turn this on globally? I've seen FreeIPA proposals that
go back years regarding a global lockout attribute that could be
replicated. I've also seen the 389 config setting passwordIsGlobalPolicy.

I am personally less concerned about amplifying the number of password
attempts allowed before lockout (e.g., if lockouts are local to each
replica, then a user can attempt passwordRetryCount x number of replicas).
My focus is ensuring that if an account is locked out on one or more
replica(s), that an unlock sent to one replica will push to all other
replicas. Otherwise, I will have to manually update and check every replica
every time a user needs their account unlocked. We have a burdensome
requirement (supposedly) that requires all locked accounts to be manually
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to