Paul B. Henson wrote: >> From: Michael Ströder >> BTW: AFAIK write operations to 'pwdFailureTime' are normally not >> replicated. > > Hmm, in my initial testing, it seemed to be. The attribute is replicated when the entry is replicated as a whole (e.g. during initial phase). I'd rather consider this to be a bug though. Use exattrs in your syncrepl statement. But AFAICS slapo-ppolicy's write operation on this attribute does not trigger the replication. > Account lockout wouldn't be > nearly as useful if the failures were not synchronized across all of the > servers and the settings were applied separately on each one. > (Well, arguably account lockout is not useful in general :), Glad you already remarked that yourself. ;-) > but as a checkbox on an audit form it would be less useful if the failures > weren't synchronized). I have quite some experience discussing that with security folks. Most of them are open to good arguments. But personally I wonder why I have to tell security folks about this DoS attack vector. Anyway... Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature