Hello.
I've taken over a large 389-ds environment running on Oracle Linux 8 and the first
task I need to complete is to enable password lockouts.
I was able to enable password lockouts successfully however it only works if the client is
pointed directly to a master. The account locks out and the attributes are propagated down
to the hubs and consumers.
If the client is pointed to a read-only hub or consumer then the account does not lockout
and the password attributes do not propagate back to the masters.
passwordIsGlobalPolicy: on is set on all masters, hubs and consumers
Password policy attributes I expect to replicate:
passwordRetryCount
accountUnlockTime
retryCountResetTime
I've tried following the chaining guide below which I think is what I need to do to
get this work as expected, however I've hit a snag.
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
389 Directory Server -
Howto:ChainOnUpdate<https://directory.fedoraproject.org/docs/389ds/how...
Introduction. The usual deployment for a large replication topology will have the client
applications reading from hubs or dedicated consumers in order to spread out the load and
off-load search request processing from the masters.
directory.fedoraproject.org
The document states the backend must be added to the hub or consumer, however when I try
and add the following LDIF to the hub I get the "unwilling to perform" error.
This makes sense because the hub is read-only so I'm confused as how I can update the
config on a read-only hub or consumer?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389
ldap://dsa3.domain.com:389
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on
adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)
Hub or Consumer
Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:
dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps
can be used instead
# of ldap for
secure connections -
# requires the
secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is
on the supplier
nsmultiplexorcredentials: password
nsCheckLocalACI: on
Any help would be greatly appreciated.
Thanks