[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy locking and replication

On Wednesday 13 August 2008 15:51:30 Jiri Netolicky wrote:
> Hi,
> I have a one master and two slaves servers 2.3.27 from RHEL 5.2.
> Replication is done by syncrepl. Now I have to use password policy overlay
> and account locking after few unsuccessful bind. When the bind is on master
> server, everything
> works ok - the lock i replicated to the slaves. But when the user
> binds on slave,
> the lock is only on the slave and the account on master and second slave
> is unlocked.
> What is the best solution of this problem? I think some kind of
> multiple-master replication of pwdAccountLockedTime and pwdFailureTime from
> slaves? But multiple-master is since 2.4 version isnt' it?

A multi-master environment may *still* have non-master slaves.

IMHO, pwdAccountLockedTime needs to be chained back to the master, and 
pwdFailureTime on slaves needs to be removed on password reset.

At present is necessary to script around the pwdAccountLockedTime issue, but 
there is no hope for pwdFailureTime (so many of my users get locked out again 
very soon if they happen to have failed a few times against a slave).