HP-UX Directory Server 8.1 administrator guide
8.12 Replicating account lockout attributes
Account lockout policies will block a user ID from being able to access the Directory Server if
the login attempt fails a set number of times. This prevents hackers or other malicious people
from illegitimately accessing the Directory Server by guessing a password. Password policies
are set locally, and generally account lockout attributes are local to each replica. This means that
a person can attempt to log in to one replica until the account lockout count is reached, then try
again immediately on another replica. The way to prevent that is to replicate the attributes related
to the account lockout counts for an entry, so that the malicious user is locked out of every
supplier and consumer replica in the configuration if a login attempt fails on a single master.
By default, three password policy attributes are not replicated, even if other password attributes
are. These attributes are related to account lockout policy of login failures and lockout periods:
• passwordRetryCount
• retryCountResetTime
• accountUnlockTime
8.12.1 Configuring Directory Server to replicate password policy attributes
A special core configuration attribute controls whether password policy operational attributes
are replicated. This is the passwordIsGlobalPolicy attribute, which is enabled in the consumer
Directory Server configuration to allow the consumer to accept password policy operational
attributes.
By default, this attribute is set to off.
To enable these attributes to be replicated, change the passwordIsGlobalPolicy configuration
attribute on the consumer:
ldapmodify -D "cn=directory manager" -w secret -p 389 -h supplier1.example.com -h consumer1.example.com
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
Changing that value to on allows the passwordRetryCount, retryCountResetTime, and
accountUnlockTime to be replicated. No other configuration is necessary for the attributes to
be included with the replicated attributes.
8.12.2 Configuring fractional replication for password policy attributes
Setting the passwordIsGlobalPolicy attribute affects the consumer in replication, in that it
allows the consumer to receive updates to those attributes. To control whether the password
policy attributes are actually replicated by the supplier, use fractional replication, which controls
what specific entry attributes are replicated.
If the password policy attributes should be replicated, then make sure these attributes are included
in the fractional replication agreement (as they are by default).
If the passwordIsGlobalPolicy attribute is set to off on the consumer, so no password
policy attributes should be replicated, use fractional replication (described in “Replicating
attributes with fractional replication”) to enforce that on the supplier and specifically exclude
those attributes from the replication agreement.
1. When configuring the replication agreement on the supplier, as described (for example) in
“Create the replication agreement”, select the Enable Fractional Replication checkbox.
2. By default, every attribute is listed in the Replicated Attributes box. Select the
passwordRetryCount, retryCountResetTime, and accountUnlockTime parameters
and click the arrow button to move them into the Do Not Replicate box.
3. Finish configuring the replication agreement.
8.12 Replicating account lockout attributes 379