Bug 190824
| Summary: | RHDS 7.1 master-master replication not carrying over all attributes to consumer | ||
|---|---|---|---|
| Product: | Red Hat Directory Server | Reporter: | Issue Tracker <tao> |
| Component: | Replication - General | Assignee: | Deon Ballard <dlackey> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.1 | CC: | benl, dlackey, tao |
| Target Milestone: | DSDocs | Keywords: | Documentation |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-05-01 22:23:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 152373, 240316 | ||
|
Description
Issue Tracker
2006-05-05 15:38:56 UTC
I don't think it's related to bug 182638 which is probably a configuration problem (either that or MMR doesn't work at all!). The attributes passwordRetryCount, retryCountResetTime, and accountUnlockTime are not replicated by default. You must set the configuration attribute passwordIsGlobalPolicy to the value 1 in cn=config e.g. with ldapmodify: dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: 1 Setting tracking. Brian, can you review these and either: - assign them to yourself or bcleary as appropriate, or - resolve them as won't do if they fall inside books or sections that we're not going to update tks David Adding 'cc ecs-dev-list for tracking Removing automation notification I added this in a brief section to the jumble at the end of the replication chapter. Docbot link: http://engineering.redhat.com/docbot/en-US/Red_Hat_Directory_Server/8.0/html/ Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html Assigning to Rich for review. Here's the text, if it helps:
8.12. Replicating Account Lockout Attributes
By default, three password policy attributes are not replicated, even if other
password attributes are. These attributes are related to of login failures and
lockout periods:
*
passwordRetryCount
*
retryCountResetTime
*
accountUnlockTime
To enable these attributes to be replicated, change the passwordIsGlobalPolicy
configuration attribute:
ldapmodify -h consumer1.example.com -p 389 -D "cn=directory manager" -w password
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: 1
Changing that value to 1 allows the passwordRetryCount, retryCountResetTime,
and accountUnlockTime to be replicated. No other configuration is necessary.
We need to explain what this means to the admin - something like this: "By default, account lockout is local to each replica, meaning you can attempt to login to one replica N times, then try again N times on another replica, and so on. This section explains how to configure a replication master to replicate the account lockout information so that the user is locked out of all masters and replicas if the user fails to login to that replication master." Good point, and added in: http://engineering.redhat.com/docbot/en-US/Red_Hat_Directory_Server/8.0/html/Administration_Guide/Managing_Replication-Replicating-Password-Attributes.html I think this has been addressed in the 8.0 docs. If so, please change status to MODIFIED. External link: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-Password-Attributes.html These changes are live in the 8.1 docs at http://www.redhat.com/docs/manuals/dir-server/8.1. Closing. |