I did a bit more testing about this.
I set up password policy as below. Only relevant part given.
pwdLockout: TRUE
pwdMaxFailure: 3
pwdLockoutDuration: 90
1 - I did bind to the master server 3 times using wrong password. I
failed to bind using the right password after that and failed. Expected
2- I did bind to the consumer server using the right password. Failed.
Expected.
After 90 seconds everything works fine.
3- I did bind to the consumer server using the wrong password three
times. I failed to bind to the consumer using the right password after
that. Failed. Expected
4 - I did bind to the master server using the right password. Success.
Not expected before elapsing 90 seconds.
I know the consumer server is not supposed to update the master server
database, but is there any work around? Does openldap support multi
master replication? Is this a limitation. Does this mean a client locked
on consumer server - as set by the policy - would be able to bind to the
master server overriding the policy.
One more doubt: where the failure counts are stored?
Regards,
Sadique
Sadique Puthen wrote:
Hi,
Is it possible to replicate password policy related attributes using
sync replication while using ppolicy overlay?
I am specifically asking about replicating pwdChangedTime,
pwdAccountLockedTime, pwdHistory and etc... not about password
configuration related attributes,
Regards,
Sadique
