Escalated to Bugzilla from IssueTracker
I don't think it's related to bug 182638 which is probably a configuration
problem (either that or MMR doesn't work at all!).
The attributes passwordRetryCount, retryCountResetTime, and accountUnlockTime
are not replicated by default. You must set the configuration attribute
passwordIsGlobalPolicy to the value 1 in cn=config e.g. with ldapmodify:
Brian, can you review these and either:
- assign them to yourself or bcleary as appropriate, or
- resolve them as won't do if they fall inside books or sections that we're not
going to update
Adding 'cc firstname.lastname@example.org for tracking
Removing automation notification
I added this in a brief section to the jumble at the end of the replication
Assigning to Rich for review.
Here's the text, if it helps:
8.12. Replicating Account Lockout Attributes
By default, three password policy attributes are not replicated, even if other
password attributes are. These attributes are related to of login failures and
To enable these attributes to be replicated, change the passwordIsGlobalPolicy
ldapmodify -h consumer1.example.com -p 389 -D "cn=directory manager" -w password
Changing that value to 1 allows the passwordRetryCount, retryCountResetTime,
and accountUnlockTime to be replicated. No other configuration is necessary.
We need to explain what this means to the admin - something like this:
"By default, account lockout is local to each replica, meaning you can attempt
to login to one replica N times, then try again N times on another replica, and
so on. This section explains how to configure a replication master to replicate
the account lockout information so that the user is locked out of all masters
and replicas if the user fails to login to that replication master."
Good point, and added in:
I think this has been addressed in the 8.0 docs. If so, please change status to
These changes are live in the 8.1 docs at http://www.redhat.com/docs/manuals/dir-server/8.1. Closing.