Hi,
If I have a simple pair of FreeIPA servers and one is showing different failed auth times for a user -- is this a good indication they are out of sync? Should I not see same failures on both?
-k
Kat via FreeIPA-users wrote:
Hi,
If I have a simple pair of FreeIPA servers and one is showing different failed auth times for a user -- is this a good indication they are out of sync? Should I not see same failures on both?
The lockout attributes are per-server (not replicated).
rob
On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Kat via FreeIPA-users wrote:
Hi,
If I have a simple pair of FreeIPA servers and one is showing different failed auth times for a user -- is this a good indication they are out of sync? Should I not see same failures on both?
The lockout attributes are per-server (not replicated).
rob
Is there a way to turn this on globally? I've seen FreeIPA proposals that go back years regarding a global lockout attribute that could be replicated. I've also seen the 389 config setting passwordIsGlobalPolicy.
I am personally less concerned about amplifying the number of password attempts allowed before lockout (e.g., if lockouts are local to each replica, then a user can attempt passwordRetryCount x number of replicas). My focus is ensuring that if an account is locked out on one or more replica(s), that an unlock sent to one replica will push to all other replicas. Otherwise, I will have to manually update and check every replica every time a user needs their account unlocked. We have a burdensome requirement (supposedly) that requires all locked accounts to be manually unlocked.
Vince Mele via FreeIPA-users wrote:
On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Kat via FreeIPA-users wrote: > Hi, > > If I have a simple pair of FreeIPA servers and one is showing different > failed auth times for a user -- is this a good indication they are out > of sync? Should I not see same failures on both? The lockout attributes are per-server (not replicated). rob
Is there a way to turn this on globally? I've seen FreeIPA proposals that go back years regarding a global lockout attribute that could be replicated. I've also seen the 389 config setting passwordIsGlobalPolicy.
I am personally less concerned about amplifying the number of password attempts allowed before lockout (e.g., if lockouts are local to each replica, then a user can attempt passwordRetryCount x number of replicas). My focus is ensuring that if an account is locked out on one or more replica(s), that an unlock sent to one replica will push to all other replicas. Otherwise, I will have to manually update and check every replica every time a user needs their account unlocked. We have a burdensome requirement (supposedly) that requires all locked accounts to be manually unlocked.
The issue is that every time a user logs in, or fails to, a replication event will be triggered. So imagine in the morning as everyone arrives. Depending on the size of your userbase this could be extensive.
But as I recall the replication agreements are setup with a list of excluded attributes including the lockout ones: krblastsuccessfulauth, krblastfailedauth, krbloginfailedcount.
You could modify the nsDS5ReplicatedAttributeList attribute in the replication agreements and remove those attributes and they should replicate.
rob
freeipa-users@lists.fedorahosted.org