[Freeipa-users] How to disable user automatically when he becomes locked
Martin Kosek
mkosek at redhat.com
Wed Dec 4 11:53:20 UTC 2013
On 12/04/2013 12:10 PM, Natxo Asenjo wrote:
> On Wed, Dec 4, 2013 at 12:05 PM, Martin Kosek <mkosek at redhat.com> wrote:
>> On 12/04/2013 11:53 AM, Natxo Asenjo wrote:
>>> On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>>>> On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
>>>> <isaev at fintech.ru> wrote:
>>> To change a value:
>>> $ ipa pwpolicy-mod global_policy --lockouttime=INT
>>>
>>> (where INT is the number of seconds you want the lock to be
>>> implemented, set it to a huge number, like 946080000 in practice 30 (
>>> 3600 secs * 24 hours * 365 days * 30 years ) years is like a life
>>> sentence ;-) - the accounts).
>>>
>>
>> Right, though I am not sure if it would not hit Kerberos limitation for too
>> large timestamps.
>>
>> Alternatively, you can set the Lockout Duration to 0, this should lock out the
>> account permanently after the number of tries was breached.
>
> cool, is that documented? I could not find it in ipa help pwpolicy-mod
That's a good question. I did not find any trace of it so I filed a ticket to
document it:
https://fedorahosted.org/freeipa/ticket/4065
Martin
More information about the Freeipa-users
mailing list