Vince Mele via FreeIPA-users wrote: > On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Kat via FreeIPA-users wrote: > > Hi, > > > > If I have a simple pair of FreeIPA servers and one is showing different > > failed auth times for a user -- is this a good indication they are out > > of sync? Should I not see same failures on both? > > The lockout attributes are per-server (not replicated). > > rob > > > Is there a way to turn this on globally? I've seen FreeIPA proposals > that go back years regarding a global lockout attribute that could be > replicated. I've also seen the 389 config setting passwordIsGlobalPolicy. > > I am personally less concerned about amplifying the number of password > attempts allowed before lockout (e.g., if lockouts are local to each > replica, then a user can attempt passwordRetryCount x number of > replicas). My focus is ensuring that if an account is locked out on one > or more replica(s), that an unlock sent to one replica will push to all > other replicas. Otherwise, I will have to manually update and check > every replica every time a user needs their account unlocked. We have a > burdensome requirement (supposedly) that requires all locked accounts to > be manually unlocked.
The issue is that every time a user logs in, or fails to, a replication event will be triggered. So imagine in the morning as everyone arrives. Depending on the size of your userbase this could be extensive. But as I recall the replication agreements are setup with a list of excluded attributes including the lockout ones: krblastsuccessfulauth, krblastfailedauth, krbloginfailedcount. You could modify the nsDS5ReplicatedAttributeList attribute in the replication agreements and remove those attributes and they should replicate. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
