Sure, please see below, I have removed krbloginfailedcount attribute from both
nsDS5ReplicatedAttributeListTotal and nsDS5ReplicatedAttributeList
ldapsearch -h idm1 -x -b
"cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,dc=mcd,dc=com" -D
"uid=admin,cn=users,cn=accounts,dc=test,dc=mcd,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,dc=mcd,dc=com> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#
# domain, topology, ipa, etc, test.mcd.com<http://test.mcd.com>
dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,dc=mcd,dc=com
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblastsuccessfulauth krblastfailedauth
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
krblastsuccessfulauth krblastfailedauth
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: dc=test,dc=mcd,dc=com
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName
internalModifyTimestamp
cn: domain
#
idm1.test.mcd.com<http://idm1.test.mcd.com>-to-idm2.test.mcd.com<http://to-idm2.test.mcd.com>,
domain, topology, ipa, etc, test.mcd.com<http://test.mcd.com>
dn:
cn=idm1.test.mcd.com<http://idm1.test.mcd.com>-to-idm2.test.mcd.com<http://to-idm2.test.mcd.com>,cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,dc=mcd,dc=com
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn:
idm1.test.mcd.com<http://idm1.test.mcd.com>-to-idm2.test.mcd.com<http://test.mcd.com>
ipaReplTopoSegmentLeftNode: idm1.test.mcd.com<http://test.mcd.com>
ipaReplTopoSegmentRightNode: idm2.test.mcd.com<http://test.mcd.com>
ipaReplTopoSegmentStatus: autogen
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
On Aug 30, 2018, at 3:30 PM, Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>> wrote:
Yuri Krysko via FreeIPA-users wrote:
Hello FreeIPA Community!
My FreeIPA setup consists of two servers in master-master replication
scenario. I have recently made a change to LDAP schema to *not*
exclude *krbloginfailedcount *attribute* *from replication. I am seeing
incremental updates being pushed from the server where failed login
occurs, and the other freeIPA server acquires these replication updates,
however it does not seem to update its *krbloginfailedcount *for the
respective user. Hence, my goal to have user account locked out after X
number of failed logins irrespective of the auth server is not
successful, as each server still seems to maintain its own version of
failed auth attempts. Am I doing something wrong?
We would need to see what changes you made.
rob
________________________________
LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail and any files
transmitted with it to be protected, proprietary or privileged information intended solely
for the use of the named recipient(s). Any disclosure of this material or the information
contained herein, in whole or in part, to anyone outside of the intended recipient or
affiliates is strictly prohibited. M. C. Dean, Inc. accepts no liability for the content
of this e-mail or for the consequences of any actions taken on the basis of the
information contained in it, unless that information is subsequently confirmed in writing.
Employees of M.C. Dean, Inc. are instructed not to infringe on any rights of the
recipient; any such communication violates company policy. If you are not the intended
recipient, any disclosure, copying, distribution, or action taken or omitted in reliance
on this information is strictly prohibited by M.C. Dean, Inc.; please notify the sender
immediately by return e-mail, delete this communication and destroy all copies.