Chapter 8. Managing Replication

attributes related to the account lockout counts for an entry, so that the malicious user is locked out of every supplier and consumer replica in the configuration if a login attempt fails on a single master.

By default, three password policy attributes are not replicated, even if other password attributes are. These attributes are related to of login failures and lockout periods:

passwordRetryCount

retryCountResetTime

accountUnlockTime

To enable these attributes to be replicated, change the passwordIsGlobalPolicy configuration attribute:

ldapmodify -h consumer1.example.com -p 389 -D "cn=directory manager" -w password

dn: cn=config

changetype: modify

replace: passwordIsGlobalPolicy

passwordIsGlobalPolicy: 1

Changing that value to 1 allows the passwordRetryCount, retryCountResetTime, and accountUnlockTime to be replicated. No other configuration is necessary for the attributes to be included with the replicated attributes.

13. Replication over SSL

The Directory Servers involved in replication can be configured so that all replication operations occur over an SSL connection. To use replication over SSL, first do the following:

Configure both the supplier and consumer servers to use SSL.

Configure the consumer server to recognize the supplier server's certificate as the supplier DN. Do this only to use SSL client authentication rather than simple authentication.

These procedures are described in Chapter 11, Managing SSL.

If attribute encryption is enabled, a secure connection is required for replication.

NOTE

Replication configured over SSL with certificate-based authentication will fail if

332

Page 352
Image 352
HP UX Red Hat Direry Server Software manual Replication over SSL, 332