> Hello there, so I've been looking into setting up some account lockout
> policies in my enviroment. I have 2 multimaster 389ds servers with
> some 389ds consumer replicas. I've enable passwordIsGlobalPolicy in
> cn=config on all servers.
>
> So if an account gets locked out when binding to a master, it is
> indeed locked out from the replicas. This functionality doesn't seem
> to flow in the opposite direction. If I get locked out on replica1, I
> can happily bind to replica2.
>
> Since replication flows "down" from master to consumer, I don't think
> there is a way to get the lockout information passed "up" to the
> masters then back "down" to peer consumers, but figured I'd ask the list.
>
> So, is there a way to pass account lockout information from consumer
> replicas back to masters? The end goal here is that if an account is
> locked out for too many failed attempts it is globally locked out.
You would have to set up something like chain on update for bind requests
http://www.port389.org/wiki/Howto:ChainOnUpdate
Bind requests would be chained (pass through) to a master, and the
actual updating of the attempt/lockout attributes would be done on a
master, then replicated throughout your topology.
>
> Thanks!
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment