Paul B. Henson wrote:
From: Michael Ströder BTW: AFAIK write operations to 'pwdFailureTime' are normally not replicated.
Hmm, in my initial testing, it seemed to be.
The attribute is replicated when the entry is replicated as a whole (e.g. during initial phase). I'd rather consider this to be a bug though. Use exattrs in your syncrepl statement.
But AFAICS slapo-ppolicy's write operation on this attribute does not trigger the replication.
Account lockout wouldn't be nearly as useful if the failures were not synchronized across all of the servers and the settings were applied separately on each one. (Well, arguably account lockout is not useful in general :),
Glad you already remarked that yourself. ;-)
but as a checkbox on an audit form it would be less useful if the failures weren't synchronized).
I have quite some experience discussing that with security folks. Most of them are open to good arguments. But personally I wonder why I have to tell security folks about this DoS attack vector. Anyway...
Ciao, Michael.