Doc string should be enhanced.

• dkupka: What is the expected behaviour here? From source code I can tell that when not set 0 is used but what should then happen? Reset the counter after 0 seconds or disable counter reseting at all?
  • pvom: I don't know, I'm not sure how it should work or how it works. I have not found any information in: http://www.freeipa.org/page/V2/Group_Password_Policy or https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-pwdpolicy.html
  • tkrizek: when failinterval=0, I get locket out after exactly the specified amount of maxfail. After the lockouttime expires, I have only a single attempt to enter password, then account gets locked again. I can't reproduce the behavior described in the ticket.
  • pvom: I'll try to reproduce it again. Thank you for testing
  • pvom: it behaves correctly, but what confused me is when I lock user (after specified number of failtures) then increase number of allowed failtures (it allows additional attemps to log in till it reaches the new limit) then I have one attemp after the lockouttime expires - as Tomas described. So, it is not a bug but it would be good to document it.

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone