Hi,
I have an issue with account lockout.
Setup: 2-node in MMR config 389-Directory/1.2.10.26 B2013.023.2027 (from fedorapeople repo) RHEL 6.4 x86_64
What I did (as per docs), doing this as a subtree or local policy:
dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: on
dn: cn=cn=nsPwPolicyEntry,ou=People,dc=<REMOVED>,dc=com,cn=nsPwPolicyContainer,ou=People,dc=<REMOVED>,dc=com changetype: modify replace: passwordExp passwordExp: on - replace: passwordMaxAge passwordMaxAge: 7862400 - replace: passwordHistory passwordHistory: on - replace: passwordInHistory passwordInHistory: 3 - replace: passwordCheckSyntax passwordCheckSyntax: on - replace: passwordMinDigits passwordMinDigits: 1 - replace: passwordMinSpecials passwordMinSpecials: 1 - replace: passwordMinLowers passwordMinLowers: 1 - replace: passwordMinUppers passwordMinUppers: 1 - replace: passwordMinLength passwordMinLength: 8 - replace: passwordStorageScheme passwordStorageScheme: SSHA512 - replace: passwordLockout passwordLockout: on - add: passwordMaxFailure passwordMaxFailure: 3 - add: passwordUnlock passwordUnlock: off
I also need to track loginTime (no time-based lockout), again as per doc:
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes - add: stateattrname stateattrname: lastLoginTime - add: altstateattrname altstateattrname: createTimestamp - add: specattrname specattrname: acctPolicySubentry - add: limitattrname limitattrname: accountInactivityLimit
Restarted:
service dirsrv restart both nodes
What I get (after purposely trying to bind with wrong pwd many times):
No lockout, passwordRetryCount stays at 1
dn: uid=<REMOVED>,ou=People,dc=<REMOVED>,dc=com passwordRetryCount: 1 retryCountResetTime: 20130410130146Z lastLoginTime: 20130409193943Z passwordExpirationTime: 20130709182434Z userPassword:: <REMOVED> mail: <REMOVED> sn: <REMOVED> preferredLanguage: en cn: <REMOVED> uid: <REMOVED> objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top givenName: <REMOVED>
I'm freshly out of ideas, thanks for helping.
Eric
389-users@lists.fedoraproject.org
-
Eric Gingras