By checking the ipa user-show and user-status it is not possible to see if a user is locked due to the number of failed logins.
The only way to determine this is by checking that krbloginfailedcount stops increasing.
The only way is the user-status, see help for instructions:
# ipa help user-status Usage: ipa [global-options] user-status LOGIN [options] Lockout status of a user account An account may become locked if the password is entered incorrectly too many times within a specific time period as controlled by password policy. A locked account is a temporary condition and may be unlocked by an administrator. This connects to each IPA master and displays the lockout status on each one. To determine whether an account is locked on a given server you need to compare the number of failed logins and the time of the last failure. For an account to be locked it must exceed the maxfail failures within the failinterval duration as specified in the password policy associated with the user. The failed login counter is modified only when a user attempts a log in so it is possible that an account may appear locked but the last failed login attempt is older than the lockouttime of the password policy. This means that the user may attempt a login again. ...
To overcome this issue, user-lock would need to replicate KDC and LDAP authentication backend to pick the right password policy or know what the defaults are. AFAIK, we chosen not to do it.
You should know that an account is locked anyway as both Kerberos and LDAP authentication should start failing right away, without trying to authenticate you.
Should be solved with: #2792
Metadata Update from @ctria: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Doesn't "ipa user-status" show whether the account is locked or not?
(Maybe this was added after this issue was filed, and so this issue can be closed?)
The UI still lacks support for user-status IIRC.
Metadata Update from @rcritten: - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
Login to comment on this ticket.