HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
8.12.1 Configuring Directory Server to replicate password policy attributes
A special core configuration attribute controls whether password policy operational attributes are
replicated. This is the passwordIsGlobalPolicy attribute, which is enabled in the consumer
Directory Server configuration to allow the consumer to accept password policy operational
attributes.
By default, this attribute is set to off.
To enable these attributes to be replicated, change the passwordIsGlobalPolicy configuration
attribute on the consumer:
ldapmodify -D "cn=directory manager" -w secret -p 389 -h supplier1.example.com -h consumer1.example.com
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
Changing that value to on allows the passwordRetryCount, retryCountResetTime, and
accountUnlockTime to be replicated. No other configuration is necessary for the attributes to
be included with the replicated attributes.
8.12.2 Configuring fractional replication for password policy attributes
Setting the passwordIsGlobalPolicy attribute affects the consumer in replication, in that it
allows the consumer to receive updates to those attributes. To control whether the password policy
attributes are actually replicated by the supplier, use fractional replication, which controls what
specific entry attributes are replicated.
If the password policy attributes should be replicated, then make sure these attributes are included
in the fractional replication agreement (as they are by default).
If the passwordIsGlobalPolicy attribute is set to off on the consumer, so no password policy
attributes should be replicated, use fractional replication (described in “Replicating attributes with
fractional replication” (page 319)) to enforce that on the supplier and specifically exclude those
attributes from the replication agreement.
1. When configuring the replication agreement on the supplier, as described (for example) in
“Create the replication agreement” (page 329), select the Enable Fractional Replication checkbox.
2. By default, every attribute is listed in the Replicated Attributes box. Select the
passwordRetryCount, retryCountResetTime, and accountUnlockTime parameters
and click the arrow button to move them into the Do Not Replicate box.
3. Finish configuring the replication agreement.
8.13 Replication over SSL
The Directory Servers involved in replication can be configured so that all replication operations
occur over an SSL connection. To use replication over SSL, first do the following:
• Configure both the supplier and consumer servers to use SSL.
• Configure the consumer server to recognize the supplier server's certificate as the supplier
DN. Do this only to use SSL client authentication rather than simple authentication.
These procedures are described in “Managing SSL” (page 469).
If attribute encryption is enabled, a secure connection is required for replication.
NOTE:
Replication configured over SSL with certificate-based authentication will fail if the supplier's
certificate is only capable of behaving as a server certificate, and not also a client during an SSL
handshake. Replication with certificate-based authentication uses the Directory Server's server
certificate for authentication to the remote server.
378 Managing Replication