Red Hat Directory Server 8.0 Administrator's Guide
attributes related to the account lockout counts for an entry, so that the malicious user is locked
out of every supplier and consumer replica in the configuration if a login attempt fails on a single
master.
By default, three password policy attributes are not replicated, even if other password attributes
are. These attributes are related to of login failures and lockout periods:
• passwordRetryCount
• retryCountResetTime
• accountUnlockTime
To enable these attributes to be replicated, change the passwordIsGlobalPolicy configuration
attribute:
ldapmodify -h consumer1.example.com -p 389 -D "cn=directory manager" -w
password
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: 1
Changing that value to 1 allows the passwordRetryCount, retryCountResetTime, and
accountUnlockTime to be replicated. No other configuration is necessary for the attributes to
be included with the replicated attributes.
13. Replication over SSL
The Directory Servers involved in replication can be configured so that all replication operations
occur over an SSL connection. To use replication over SSL, first do the following:
• Configure both the supplier and consumer servers to use SSL.
• Configure the consumer server to recognize the supplier server's certificate as the supplier
DN. Do this only to use SSL client authentication rather than simple authentication.
These procedures are described in Chapter 11, Managing SSL.
If attribute encryption is enabled, a secure connection is required for replication.
NOTE
Replication configured over SSL with certificate-based authentication will fail if
Chapter 8. Managing Replication
332