[389-users] One supplier; two consumers : how to enable replication of Account Lockout policy attributes?
Jon Detert
jdetert at infinityhealthcare.com
Mon Feb 24 21:33:05 UTC 2014
----- Original Message -----
> From: "Rich Megginson" <rmeggins at redhat.com>
> To: "General discussion list for the 389 Directory server project." <389-users at lists.fedoraproject.org>
> Sent: Monday, February 24, 2014 2:48:38 PM
> Subject: Re: [389-users] One supplier; two consumers : how to enable replication of Account Lockout policy
> attributes?
>
> On 02/24/2014 01:34 PM, Jon Detert wrote:
> > I want the account lockout policy of all 3 servers to be the same, and the
> > account lockout status of a given bind-dn to be the same across all 3.
> >
> > I made the config shown below, but when I locked an account via purposely
> > failed bind attempts to one of the consumers, neither the supplier nor the
> > other consumer got informed that the account was locked. Any ideas?
>
> Looks like you are half way there.
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html
>
> Are any of these consumers read-only? If so, then you'll have to do
> something like chain-on-bind request so that the password policy
> attributes are stored on a writable master.
> http://www.port389.org/wiki/Howto:ChainOnUpdate
Both consumers are read-only. I'd thought 'consumer' was synonymous with 'read-only replica'. No?
So, I'll need to work out the chainOnUpdate to get things to work like I want. Can I arrange so that my 2 ro replicas will only chain updates of Account Policy attributes? I.e. so that they are ro except w.r.t. Account Policy Attributes?
Lastly, there's something about this section:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html#replicating-pwd-policy
that I don't understand. It says that you only have to turn on the passwordIsGlobalPolicy on the 'consumers'. So, I locked an account via my rw supplier (aka 'master'). However, the account lockout policy attrs did not get replicated to my 2 ro consumers. But when I turned on the passwordIsGlobalPolicy on my rw supplier, locked another account via the rw supplier, the attrs were replicated to my 2 ro consumers. So, am I misunderstanding what a 'consumer' is, or is the documentation wrong?
Thanks,
Jon
> > The config:
> > ====================
> >
> > I ran this on the supplier and both consumers:
> > ldapmodify -h localhost -cax -D "cn=directory manager" -y ~/pword <<BYE
> > dn: cn=config
> > changetype: modify
> > add: passwordLockout
> > passwordLockout: on
> > -
> > add: passwordUnlock
> > passwordUnlock: on
> > -
> > add: passwordMaxFailure
> > passwordMaxFailure: 20
> > -
> > add: passwordLockoutDuration
> > passwordLockoutDuration: 3600
> > -
> > add: passwordResetFailureCount
> > passwordResetFailureCount: 600
> >
> > BYE
> >
> > And this on each of the 2 consumers:
> >
> > ldapmodify -h localhost -D cn="Directory Manager" -y ~/pword <<BYE
> > dn: cn=config
> > changetype: modify
> > replace: passwordIsGlobalPolicy
> > passwordIsGlobalPolicy: on
> > BYE
More information about the 389-users
mailing list