[389-users] Consumer failed to replay change

Rich Megginson rmeggins at redhat.com
Thu Oct 22 15:58:57 UTC 2009


Brodie, Kent wrote:
> OK.   Further research--   it appears I have an issue with
> "passwordretrycount" not replicating--  which apparently (did some
> searches..) is a problem others have had, when the directory services is
> set up in a replicating fashion (multi-master in my case).   Has to do
> with global password policy settings, and what is allowed to replicate--
> or not.
>
> I found the offending entry (passwordretrycount existed for the user on
> one node, not the other) and deleted it.
>
> My question now is:   What's the correct solution to this?   Forum
> postings I've found thus far are unclear.  
>
> Any ideas appreciated!   --Kent
>
> PS:  Thanks for the tons of help, I learned a lot today on debugging
> this stuff for future issues...
>   
If you have password policy on, the directory server will make 
modifications to users' entries when they use password authentication.  
You may or may not want these to be replicated.

For example, if you have password retry counting with lockout enabled - 
if this policy is local only, a hacker could attempt to hack an account 
N times on master 1, N times on master 2, etc. So instead of the 
password retry count being N, it's really M x N.

If you care about this, you can enable these password policy attributes 
to be replicated and accepted on the consumer, by turning on the 
passwordIsGlobalPolicy in cn=config on each consumer.

If you do not want these attributes replicated at all, modify your 
replication agreement to exclude the following attributes from being 
replicated:
retryCountResetTime passwordRetryCount accountUnlockTime
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20091022/1924eb5d/attachment.bin>


More information about the 389-users mailing list