[Freeipa-users] How to disable user automatically when he becomes locked

Martin Kosek mkosek at redhat.com
Wed Dec 4 11:05:19 UTC 2013 

On 12/04/2013 11:53 AM, Natxo Asenjo wrote:
> On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
>> <isaev at fintech.ru> wrote:
>>> Dear Freeipa users and developers,
>>>
>>>
>>>
>>> We need to alter the default behavior of the IdM server in the situation
>>> when user exceeds the limit of incorrect password login attempts.
>>>
>>> By default the user is getting locked in this case, but we need to disable
>>> him fully.
>>
>> As in, delete the user? Because locking the account is disabling it
>> unless I misunderstand it. I cannot log in, my cron jobs will fail, I
>> cannot use any ldap/kerberos service because my account is disabled.
>>
>> What do you need exactly? Or maybe you refer to the fact that the lock
>> is temporary (standard 600 seconds, after which you may try logging in
>> again? In that case, change that in the password policies (in the web
>> interface, policy tab, then password policy, then open the
>> global_policy, then edit the lockout duration field and update it.
> 
> for completeness, the same in the cli as an admin user:
> 
> To get the values:
> $ ipa pwpolicy-show
>   Group: global_policy
>   Max lifetime (days): 90
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 8
>   Max failures: 6
>   Failure reset interval: 60
>   Lockout duration: 600
> 
> To change a value:
> $ ipa pwpolicy-mod global_policy --lockouttime=INT
> 
> (where INT is the number of seconds you want the lock to be
> implemented, set it to a huge number, like 946080000  in practice 30 (
> 3600 secs * 24 hours * 365 days * 30 years ) years is like a life
> sentence ;-) - the accounts).
> 

Right, though I am not sure if it would not hit Kerberos limitation for too
large timestamps.

Alternatively, you can set the Lockout Duration to 0, this should lock out the
account permanently after the number of tries was breached. Note that there is
a related bug fix in FreeIPA 3.2.0:
https://fedorahosted.org/freeipa/ticket/3433

Martin

More information about the Freeipa-users mailing list