[389-users] Consumer failed to replay change
rmeggins at redhat.com
Thu Oct 22 15:58:57 UTC 2009
Brodie, Kent wrote:
> OK. Further research-- it appears I have an issue with
> "passwordretrycount" not replicating-- which apparently (did some
> searches..) is a problem others have had, when the directory services is
> set up in a replicating fashion (multi-master in my case). Has to do
> with global password policy settings, and what is allowed to replicate--
> or not.
> I found the offending entry (passwordretrycount existed for the user on
> one node, not the other) and deleted it.
> My question now is: What's the correct solution to this? Forum
> postings I've found thus far are unclear.
> Any ideas appreciated! --Kent
> PS: Thanks for the tons of help, I learned a lot today on debugging
> this stuff for future issues...
If you have password policy on, the directory server will make
modifications to users' entries when they use password authentication.
You may or may not want these to be replicated.
For example, if you have password retry counting with lockout enabled -
if this policy is local only, a hacker could attempt to hack an account
N times on master 1, N times on master 2, etc. So instead of the
password retry count being N, it's really M x N.
If you care about this, you can enable these password policy attributes
to be replicated and accepted on the consumer, by turning on the
passwordIsGlobalPolicy in cn=config on each consumer.
If you do not want these attributes replicated at all, modify your
replication agreement to exclude the following attributes from being
retryCountResetTime passwordRetryCount accountUnlockTime
> 389 users mailing list
> 389-users at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
More information about the 389-users