Re: [389-users] One supplier; two consumers : how to enable replication of Account Lockout policy attributes?

On 02/24/2014 01:34 PM, Jon Detert wrote:
> I want the account lockout policy of all 3 servers to be the same, and the account lockout status of a given bind-dn to be the same across all 3.
>
> I made the config shown below, but when I locked an account via purposely failed bind attempts to one of the consumers, neither the supplier nor the other consumer got informed that the account was locked. Any ideas?

Looks like you are half way there.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html

Are any of these consumers read-only? If so, then you'll have to do
something like chain-on-bind request so that the password policy
attributes are stored on a writable master.
http://www.port389.org/wiki/Howto:ChainOnUpdate

>
> Thanks
>
> The config:
> ====================
>
> I ran this on the supplier and both consumers:
> ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE
> dn: cn=config
> changetype: modify
> add: passwordLockout
> passwordLockout: on
> -
> add: passwordUnlock
> passwordUnlock: on
> -
> add: passwordMaxFailure
> passwordMaxFailure: 20
> -
> add: passwordLockoutDuration
> passwordLockoutDuration: 3600
> -
> add: passwordResetFailureCount
> passwordResetFailureCount: 600
>
> BYE
>
> And this on each of the 2 consumers:
>
> ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE
> dn: cn=config
> changetype: modify
> replace: passwordIsGlobalPolicy
> passwordIsGlobalPolicy: on
> BYE
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users