[Freeipa-users] User Lockout even with special password Policy
Rob Crittenden
rcritten at redhat.com
Thu Jan 14 15:58:29 UTC 2016
Matt . wrote:
> OK, nice,but this user failed on kinit but is in the group where the
> policy is set to 0.
>
> Can I check on the commandline if it applies to that setting by
> querying ldap in some way ? It could be that some other group
> overrules in some way ?
$ ipa pwpolicy-show --user <someuser>
> What about sysaccounts ? They seem to be locked also with too many
> logins, and this concerns me as they are not POSIX.
They may be getting the global policy applied.
rob
>
>
>
> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> Hi Guys,
>>>
>>> I'm having an issue that a user which I use for the API is getting
>>> locked out from time to time.
>>>
>>> I have created a specific password policy for this user with:
>>>
>>> Lockout duration (seconds) 0
>>>
>>> But this doesn't help much.
>>>
>>> Anyone an idea how I can make sure a user is not locked out in any way
>>> by lots of logins or tries, etc and be able to test it functions
>>> allright ?
>>
>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>> sure to test both LDAP bind and kinit.
>>
>> rob
>>
>
More information about the Freeipa-users
mailing list