[Freeipa-users] How to disable user automatically when he becomes locked
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Dec 4 10:53:58 UTC 2013
On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
> On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
> <isaev at fintech.ru> wrote:
>> Dear Freeipa users and developers,
>>
>>
>>
>> We need to alter the default behavior of the IdM server in the situation
>> when user exceeds the limit of incorrect password login attempts.
>>
>> By default the user is getting locked in this case, but we need to disable
>> him fully.
>
> As in, delete the user? Because locking the account is disabling it
> unless I misunderstand it. I cannot log in, my cron jobs will fail, I
> cannot use any ldap/kerberos service because my account is disabled.
>
> What do you need exactly? Or maybe you refer to the fact that the lock
> is temporary (standard 600 seconds, after which you may try logging in
> again? In that case, change that in the password policies (in the web
> interface, policy tab, then password policy, then open the
> global_policy, then edit the lockout duration field and update it.
for completeness, the same in the cli as an admin user:
To get the values:
$ ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
To change a value:
$ ipa pwpolicy-mod global_policy --lockouttime=INT
(where INT is the number of seconds you want the lock to be
implemented, set it to a huge number, like 946080000 in practice 30 (
3600 secs * 24 hours * 365 days * 30 years ) years is like a life
sentence ;-) - the accounts).
More information about the Freeipa-users
mailing list