[Freeipa-users] User Lockout even with special password Policy
Matt .
yamakasi.014 at gmail.com
Thu Jan 14 18:52:40 UTC 2016
My fault from the maxfail, I was referencing some doc from
side_control and mixed it up.
For the sysaccount part sounds doable. I will report back for that!
thanks a lot!
2016-01-14 19:06 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> OK, this looks good, but keeps the user locked from time to time:
>>
>> # ipa pwpolicy-show --user kinit-user
>> Group: service_accounts
>> Max lifetime (days): 1024
>> Min lifetime (hours): 0
>> Lockout duration: 0
>
> As I said before, you need maxfail = 0 to disable lockout.
>
>> Can we make sure we apply a policy to the sysaccounts users or is that
>> undoable ?
>
> You'd have to set krbPwdPolicyReference to the dn of the policy you want
> to use for that sysaccount user. That requires the objectclass
> krbPrincipalAux.
>
> rob
>
>>
>> 2016-01-14 16:58 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> OK, nice,but this user failed on kinit but is in the group where the
>>>> policy is set to 0.
>>>>
>>>> Can I check on the commandline if it applies to that setting by
>>>> querying ldap in some way ? It could be that some other group
>>>> overrules in some way ?
>>>
>>> $ ipa pwpolicy-show --user <someuser>
>>>
>>>> What about sysaccounts ? They seem to be locked also with too many
>>>> logins, and this concerns me as they are not POSIX.
>>>
>>> They may be getting the global policy applied.
>>>
>>> rob
>>>
>>>>
>>>>
>>>>
>>>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> Hi Guys,
>>>>>>
>>>>>> I'm having an issue that a user which I use for the API is getting
>>>>>> locked out from time to time.
>>>>>>
>>>>>> I have created a specific password policy for this user with:
>>>>>>
>>>>>> Lockout duration (seconds) 0
>>>>>>
>>>>>> But this doesn't help much.
>>>>>>
>>>>>> Anyone an idea how I can make sure a user is not locked out in any way
>>>>>> by lots of logins or tries, etc and be able to test it functions
>>>>>> allright ?
>>>>>
>>>>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>>>>> sure to test both LDAP bind and kinit.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list