Hi,
I have not received any input on this one, if you could kindly inform if some information is missing I'd like to get this resolved.
Many thanks Eric
-------- Original Message -------- Subject: passwordRetryCount not incrementing past 1 Date: 2013-04-10 09:17 From: Eric Gingras eric@go2devnull.net To: 389-users@lists.fedoraproject.org
Hi,
I have an issue with account lockout.
Setup: 2-node in MMR config 389-Directory/1.2.10.26 B2013.023.2027 (from fedorapeople repo) RHEL 6.4 x86_64
What I did (as per docs), doing this as a subtree or local policy:
dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: on
dn: cn=cn=nsPwPolicyEntry,ou=People,dc=<REMOVED>,dc=com,cn=nsPwPolicyContainer,ou=People,dc=<REMOVED>,dc=com changetype: modify replace: passwordExp passwordExp: on - replace: passwordMaxAge passwordMaxAge: 7862400 - replace: passwordHistory passwordHistory: on - replace: passwordInHistory passwordInHistory: 3 - replace: passwordCheckSyntax passwordCheckSyntax: on - replace: passwordMinDigits passwordMinDigits: 1 - replace: passwordMinSpecials passwordMinSpecials: 1 - replace: passwordMinLowers passwordMinLowers: 1 - replace: passwordMinUppers passwordMinUppers: 1 - replace: passwordMinLength passwordMinLength: 8 - replace: passwordStorageScheme passwordStorageScheme: SSHA512 - replace: passwordLockout passwordLockout: on - add: passwordMaxFailure passwordMaxFailure: 3 - add: passwordUnlock passwordUnlock: off
I also need to track loginTime (no time-based lockout), again as per doc:
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes - add: stateattrname stateattrname: lastLoginTime - add: altstateattrname altstateattrname: createTimestamp - add: specattrname specattrname: acctPolicySubentry - add: limitattrname limitattrname: accountInactivityLimit
Restarted:
service dirsrv restart both nodes
What I get (after purposely trying to bind with wrong pwd many times):
No lockout, passwordRetryCount stays at 1
dn: uid=<REMOVED>,ou=People,dc=<REMOVED>,dc=com passwordRetryCount: 1 retryCountResetTime: 20130410130146Z lastLoginTime: 20130409193943Z passwordExpirationTime: 20130709182434Z userPassword:: <REMOVED> mail: <REMOVED> sn: <REMOVED> preferredLanguage: en cn: <REMOVED> uid: <REMOVED> objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top givenName: <REMOVED>
I'm freshly out of ideas, thanks for helping.
Eric
Are you using any kind of VIP or load balancer in front of the two instances?
On Fri, Apr 12, 2013 at 12:15 PM, Eric Gingras eric@go2devnull.net wrote:
Hi,
I have not received any input on this one, if you could kindly inform if some information is missing I'd like to get this resolved.
Many thanks Eric
-------- Original Message -------- Subject: passwordRetryCount not incrementing past 1 Date: 2013-04-10 09:17 From: Eric Gingras eric@go2devnull.net To: <389-users@lists.**fedoraproject.org389-users@lists.fedoraproject.org
Hi,
I have an issue with account lockout.
Setup: 2-node in MMR config 389-Directory/1.2.10.26 B2013.023.2027 (from fedorapeople repo) RHEL 6.4 x86_64
What I did (as per docs), doing this as a subtree or local policy:
dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: on
dn: cn=cn=nsPwPolicyEntry,ou=**People,dc=<REMOVED>,dc=** com,cn=nsPwPolicyContainer,ou=**People,dc=<REMOVED>,dc=com changetype: modify replace: passwordExp passwordExp: on
replace: passwordMaxAge passwordMaxAge: 7862400
replace: passwordHistory passwordHistory: on
replace: passwordInHistory passwordInHistory: 3
replace: passwordCheckSyntax passwordCheckSyntax: on
replace: passwordMinDigits passwordMinDigits: 1
replace: passwordMinSpecials passwordMinSpecials: 1
replace: passwordMinLowers passwordMinLowers: 1
replace: passwordMinUppers passwordMinUppers: 1
replace: passwordMinLength passwordMinLength: 8
replace: passwordStorageScheme passwordStorageScheme: SSHA512
replace: passwordLockout passwordLockout: on
add: passwordMaxFailure passwordMaxFailure: 3
add: passwordUnlock passwordUnlock: off
I also need to track loginTime (no time-based lockout), again as per doc:
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes
add: stateattrname stateattrname: lastLoginTime
add: altstateattrname altstateattrname: createTimestamp
add: specattrname specattrname: acctPolicySubentry
add: limitattrname limitattrname: accountInactivityLimit
Restarted:
service dirsrv restart both nodes
What I get (after purposely trying to bind with wrong pwd many times):
No lockout, passwordRetryCount stays at 1
dn: uid=<REMOVED>,ou=People,dc=<**REMOVED>,dc=com passwordRetryCount: 1 retryCountResetTime: 20130410130146Z lastLoginTime: 20130409193943Z passwordExpirationTime: 20130709182434Z userPassword:: <REMOVED> mail: <REMOVED> sn: <REMOVED> preferredLanguage: en cn: <REMOVED> uid: <REMOVED> objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top givenName: <REMOVED>
I'm freshly out of ideas, thanks for helping.
Eric
389 users mailing list 389-users@lists.fedoraproject.**org 389-users@lists.fedoraproject.org https://admin.fedoraproject.**org/mailman/listinfo/389-usershttps://admin.fedoraproject.org/mailman/listinfo/389-users
Yes but not for the lockout testing, I went straight to the individual nodes with ldapsearch containing invalid credentials (simplest case). Eric
On 2013-04-12 13:24, Jim Finn wrote:
Are you using any kind of VIP or load balancer in front of the two instances?
On Fri, Apr 12, 2013 at 12:15 PM, Eric Gingras eric@go2devnull.net wrote:
Hi,
I have not received any input on this one, if you could kindly inform if some information is missing I'd like to get this resolved.
Many thanks Eric
-------- Original Message -------- Subject: passwordRetryCount not incrementing past 1 Date: 2013-04-10 09:17 From: Eric Gingras eric@go2devnull.net To: 389-users@lists.fedoraproject.org
Hi,
I have an issue with account lockout.
Setup: 2-node in MMR config 389-Directory/1.2.10.26 [1] B2013.023.2027 (from fedorapeople repo) RHEL 6.4 x86_64
What I did (as per docs), doing this as a subtree or local policy:
dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: on
dn: cn=cn=nsPwPolicyEntry,ou=People,dc=<REMOVED>,dc=com,cn=nsPwPolicyContainer,ou=People,dc=<REMOVED>,dc=com changetype: modify replace: passwordExp passwordExp: on
replace: passwordMaxAge passwordMaxAge: 7862400
replace: passwordHistory passwordHistory: on
replace: passwordInHistory passwordInHistory: 3
replace: passwordCheckSyntax passwordCheckSyntax: on
replace: passwordMinDigits passwordMinDigits: 1
replace: passwordMinSpecials passwordMinSpecials: 1
replace: passwordMinLowers passwordMinLowers: 1
replace: passwordMinUppers passwordMinUppers: 1
replace: passwordMinLength passwordMinLength: 8
replace: passwordStorageScheme passwordStorageScheme: SSHA512
replace: passwordLockout passwordLockout: on
add: passwordMaxFailure passwordMaxFailure: 3
add: passwordUnlock passwordUnlock: off
I also need to track loginTime (no time-based lockout), again as per doc:
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes
add: stateattrname stateattrname: lastLoginTime
add: altstateattrname altstateattrname: createTimestamp
add: specattrname specattrname: acctPolicySubentry
add: limitattrname limitattrname: accountInactivityLimit
Restarted:
service dirsrv restart both nodes
What I get (after purposely trying to bind with wrong pwd many times):
No lockout, passwordRetryCount stays at 1
dn: uid=<REMOVED>,ou=People,dc=<REMOVED>,dc=com passwordRetryCount: 1 retryCountResetTime: 20130410130146Z lastLoginTime: 20130409193943Z passwordExpirationTime: 20130709182434Z userPassword:: <REMOVED> mail: <REMOVED> sn: <REMOVED> preferredLanguage: en cn: <REMOVED> uid: <REMOVED> objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top givenName: <REMOVED>
I'm freshly out of ideas, thanks for helping.
Eric
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users [2]
Links:
[1] http://1.2.10.26 [2] https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Eric Gingras -
Jim Finn