Hi,
I have a one master and two slaves servers 2.3.27 from RHEL 5.2. Replication is done by syncrepl. Now I have to use password policy overlay and account locking after few unsuccessful bind. When the bind is on master server, everything works ok - the lock i replicated to the slaves. But when the user binds on slave, the lock is only on the slave and the account on master and second slave is unlocked. What is the best solution of this problem? I think some kind of multiple-master replication of pwdAccountLockedTime and pwdFailureTime from slaves? But multiple-master is since 2.4 version isnt' it?
Many thanks for advice, Netolish
On Wednesday 13 August 2008 15:51:30 Jiri Netolicky wrote:
Hi,
I have a one master and two slaves servers 2.3.27 from RHEL 5.2. Replication is done by syncrepl. Now I have to use password policy overlay and account locking after few unsuccessful bind. When the bind is on master server, everything works ok - the lock i replicated to the slaves. But when the user binds on slave, the lock is only on the slave and the account on master and second slave is unlocked. What is the best solution of this problem? I think some kind of multiple-master replication of pwdAccountLockedTime and pwdFailureTime from slaves? But multiple-master is since 2.4 version isnt' it?
A multi-master environment may *still* have non-master slaves.
IMHO, pwdAccountLockedTime needs to be chained back to the master, and pwdFailureTime on slaves needs to be removed on password reset.
At present is necessary to script around the pwdAccountLockedTime issue, but there is no hope for pwdFailureTime (so many of my users get locked out again very soon if they happen to have failed a few times against a slave).
Regards, Buchan
openldap-software@openldap.org