[389-users] Re: How to replicate password lockout attributes from a consumer or hub to a master(s)

On 8/12/21 10:53 AM, Michael Starling wrote:

Hello.

I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.

I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers.

If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters.

passwordIsGlobalPolicy: on is set on all masters, hubs and consumers

Password policy attributes I expect to replicate:

passwordRetryCount

accountUnlockTime

retryCountResetTime

I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag.

https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html

389 Directory Server - Howto:ChainOnUpdate Introduction. The usual deployment for a large replication topology will have the client applications reading from hubs or dedicated consumers in order to spread out the load and off-load search request processing from the masters. directory.fedoraproject.org

The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error.

This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer?

dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config

objectclass: top

objectclass: extensibleObject

objectclass: nsBackendInstance

cn: chainlab

nsslapd-suffix: dc=domain,dc=com

nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389

nsmultiplexorbinddn: uid=repluser,cn=config

nsmultiplexorcredentials: mypassword

nsCheckLocalACI: on

adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)

This is the doc you want to follow to get this working.  But it is complicated... 

In this case I'm not sure why the error 53 is being returned.  There is something about that entry it does not like.  So please check the access and errors log from the time of this failure (see /var/log/dirsrv/slapd-YOUR_INSTANCE/).  There is usually more info logged when an error 53 happens.

Also what version of 389-ds-base are you running?

Thanks,
Mark

Hub or Consumer

Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:

dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config      objectclass: top      objectclass: extensibleObject      objectclass: nsBackendInstance      cn: chainbe1      nsslapd-suffix: <suffix to replicate>  nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead                                                                            # of ldap for secure connections -                                                                            # requires the secure port  nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier  nsmultiplexorcredentials: password      nsCheckLocalACI: on    

Any help would be greatly appreciated.

Thanks

_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure  

--   Directory Server Development Team