Vince Mele via FreeIPA-users wrote:
> On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users
> <mailto:email@example.com>> wrote:
> Kat via FreeIPA-users wrote:
> > Hi,
> > If I have a simple pair of FreeIPA servers and one is showing different
> > failed auth times for a user -- is this a good indication they are out
> > of sync? Should I not see same failures on both?
> The lockout attributes are per-server (not replicated).
> Is there a way to turn this on globally? I've seen FreeIPA proposals
> that go back years regarding a global lockout attribute that could be
> replicated. I've also seen the 389 config setting passwordIsGlobalPolicy.
> I am personally less concerned about amplifying the number of password
> attempts allowed before lockout (e.g., if lockouts are local to each
> replica, then a user can attempt passwordRetryCount x number of
> replicas). My focus is ensuring that if an account is locked out on one
> or more replica(s), that an unlock sent to one replica will push to all
> other replicas. Otherwise, I will have to manually update and check
> every replica every time a user needs their account unlocked. We have a
> burdensome requirement (supposedly) that requires all locked accounts to
> be manually unlocked.
The issue is that every time a user logs in, or fails to, a replication
event will be triggered. So imagine in the morning as everyone arrives.
Depending on the size of your userbase this could be extensive.
But as I recall the replication agreements are setup with a list of
excluded attributes including the lockout ones: krblastsuccessfulauth,
You could modify the nsDS5ReplicatedAttributeList attribute in the
replication agreements and remove those attributes and they should
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org