#4691 There is no obvious way to check if a user is locked or not
Opened 9 years ago by ctria. Modified 9 months ago

By checking the ipa user-show and user-status it is not possible to see if a user is locked due to the number of failed logins.

The only way to determine this is by checking that krbloginfailedcount stops increasing.


The only way is the user-status, see help for instructions:

# ipa help user-status
Usage: ipa [global-options] user-status LOGIN [options]

Lockout status of a user account

    An account may become locked if the password is entered incorrectly too
    many times within a specific time period as controlled by password
    policy. A locked account is a temporary condition and may be unlocked by
    an administrator.

    This connects to each IPA master and displays the lockout status on
    each one.

    To determine whether an account is locked on a given server you need
    to compare the number of failed logins and the time of the last failure.
    For an account to be locked it must exceed the maxfail failures within
    the failinterval duration as specified in the password policy associated
    with the user.

    The failed login counter is modified only when a user attempts a log in
    so it is possible that an account may appear locked but the last failed
    login attempt is older than the lockouttime of the password policy. This
    means that the user may attempt a login again.
...

To overcome this issue, user-lock would need to replicate KDC and LDAP authentication backend to pick the right password policy or know what the defaults are. AFAIK, we chosen not to do it.

You should know that an account is locked anyway as both Kerberos and LDAP authentication should start failing right away, without trying to authenticate you.

Metadata Update from @ctria:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Doesn't "ipa user-status" show whether the account is locked or not?

(Maybe this was added after this issue was filed, and so this issue can be closed?)

The UI still lacks support for user-status IIRC.

Metadata Update from @rcritten:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

9 months ago

Login to comment on this ticket.

Metadata