[Fedora-directory-users] Account lockout counters not replicating; how to unlock users?
Bliss, Aaron
ABliss at preferredcare.org
Tue Feb 7 22:11:03 UTC 2006
Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not
sure why, but for some reason I'm not seeing password retry counters
being replicated from the consumer to the supplier; here is what I've
seen (I have fds setup to lock accounts after 5 bad password attempts,
reset failure count after 15 minutes):
-if a user types their password incorrectly on a server that binds first
to a consumer, then their password retry count increments only on the
consumer
-if a user successfully binds to the server, then their password retry
count does get reset
This is a problem for a couple of reasons. If an account becomes locked
out because of bad password attempts, I've tried deleting the attributes
of passwordRetryCount and accountUnlockTime
(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the
supplier, however for some reason this is not replicated to the consumer
(is this an indication of a different problem?) this is a problem as I
have some of my linux servers to look to the supplier first for
authentication, and then the consumer second, and visa versa for load
balancing. According to fds documentation, account lockout counters may
not work as expected in a multi master environment
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864
46 ; this is one of the reasons that I opted for a single master
environment; please advise and thanks. Given the issues that I'm
having, what is the best way to unlock accounts that have been locked
due to bad password attempts?
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
More information about the Fedora-directory-users
mailing list