Vince Mele via FreeIPA-users wrote:
> On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users
> <
> <>> wrote:
>     Kat via FreeIPA-users wrote:
>     > Hi,
>     >
>     > If I have a simple pair of FreeIPA servers and one is showing different
>     > failed auth times for a user -- is this a good indication they are out
>     > of sync? Should I not see same failures on both?
>     The lockout attributes are per-server (not replicated).
>     rob
> Is there a way to turn this on globally? I've seen FreeIPA proposals
> that go back years regarding a global lockout attribute that could be
> replicated. I've also seen the 389 config setting passwordIsGlobalPolicy.
> I am personally less concerned about amplifying the number of password
> attempts allowed before lockout (e.g., if lockouts are local to each
> replica, then a user can attempt passwordRetryCount x number of
> replicas). My focus is ensuring that if an account is locked out on one
> or more replica(s), that an unlock sent to one replica will push to all
> other replicas. Otherwise, I will have to manually update and check
> every replica every time a user needs their account unlocked. We have a
> burdensome requirement (supposedly) that requires all locked accounts to
> be manually unlocked. 

The issue is that every time a user logs in, or fails to, a replication
event will be triggered. So imagine in the morning as everyone arrives.
Depending on the size of your userbase this could be extensive.

But as I recall the replication agreements are setup with a list of
excluded attributes including the lockout ones: krblastsuccessfulauth,
krblastfailedauth, krbloginfailedcount.

You could modify the nsDS5ReplicatedAttributeList attribute in the
replication agreements and remove those attributes and they should

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to