Security Software

---Setup---
- multi-master replication between two directory servers(DS)
- load balancer that distributes connections between the directory servers
- password lockout counter set to 5 fails before a lockout

---Problem---
The password policy's account lockout counter (passwordRetryCount) is not being replicated. This is resulting in users have more than 5 failed attempts before lockout occurs. The load balancer send the request from one DS to the other and each DS keeps track of it's own password lockout counter.

---Question---
How else can I keep the passwordRetryCount in sync between the two DS? Can I do something outside of the DS using slurp? How are you doing this in your environment?

Sun's documentation (http://docs.sun.com/source/816-6698-10/useracct.html#14386 - 3rd bullet at the end of that section):

"Each replica keeps separate, non-replicated account lockout counters. As a result, the lockout policy will be enforced on any single replica, but may be circumvented when a user attempts to bind to several replicas. For example, if you have 10 servers in the replication topology, and lock out is activated after three attempts, an intruder could potentially try 30 guesses of the password.

While replication does allow an intruder more guesses, the number is insignificant when compared to the billions of password values. It is much more important to force users to have strong passwords by turing on password checking and setting a password length of six characters or more. You should also give them guidelines on how to select and remember a password that is not a common dictionary word. Finally, you should ensure that all directory administrator users have very strong passwords."