[Freeipa-users] User Lockout even with special password Policy
Matt .
yamakasi.014 at gmail.com
Thu Jan 14 17:06:19 UTC 2016
OK, this looks good, but keeps the user locked from time to time:
# ipa pwpolicy-show --user kinit-user
Group: service_accounts
Max lifetime (days): 1024
Min lifetime (hours): 0
Lockout duration: 0
Can we make sure we apply a policy to the sysaccounts users or is that
undoable ?
2016-01-14 16:58 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> OK, nice,but this user failed on kinit but is in the group where the
>> policy is set to 0.
>>
>> Can I check on the commandline if it applies to that setting by
>> querying ldap in some way ? It could be that some other group
>> overrules in some way ?
>
> $ ipa pwpolicy-show --user <someuser>
>
>> What about sysaccounts ? They seem to be locked also with too many
>> logins, and this concerns me as they are not POSIX.
>
> They may be getting the global policy applied.
>
> rob
>
>>
>>
>>
>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Hi Guys,
>>>>
>>>> I'm having an issue that a user which I use for the API is getting
>>>> locked out from time to time.
>>>>
>>>> I have created a specific password policy for this user with:
>>>>
>>>> Lockout duration (seconds) 0
>>>>
>>>> But this doesn't help much.
>>>>
>>>> Anyone an idea how I can make sure a user is not locked out in any way
>>>> by lots of logins or tries, etc and be able to test it functions
>>>> allright ?
>>>
>>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>>> sure to test both LDAP bind and kinit.
>>>
>>> rob
>>>
>>
>
More information about the Freeipa-users
mailing list