On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Kat via FreeIPA-users wrote: > > Hi, > > > > If I have a simple pair of FreeIPA servers and one is showing different > > failed auth times for a user -- is this a good indication they are out > > of sync? Should I not see same failures on both? > > The lockout attributes are per-server (not replicated). > > rob > > Is there a way to turn this on globally? I've seen FreeIPA proposals that go back years regarding a global lockout attribute that could be replicated. I've also seen the 389 config setting passwordIsGlobalPolicy. I am personally less concerned about amplifying the number of password attempts allowed before lockout (e.g., if lockouts are local to each replica, then a user can attempt passwordRetryCount x number of replicas). My focus is ensuring that if an account is locked out on one or more replica(s), that an unlock sent to one replica will push to all other replicas. Otherwise, I will have to manually update and check every replica every time a user needs their account unlocked. We have a burdensome requirement (supposedly) that requires all locked accounts to be manually unlocked.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
