https://bugzilla.redhat.com/show_bug.cgi?id=759501
Description of problem: When failed login attempts are more than maximum specified, the account is locked in all clients, no matter if the user is cached in that client or not (expected behaviour). But, in IdM server, 'ipa user-show' command, as well as WebUI, show the user account as still enabled. For diagnose in case of account troubles, or if an administrator is needed to manually enable locked out accounts, the right status of the locked out account should be shown in WebUI and ipa command. There is a distinction between a disabled account and one locked out due to too many failed logins. We don't currently show the number of failed logins or that lockout status. Version-Release number of selected component (if applicable): RHEL 6.2 How reproducible: Always Steps to Reproduce: 1. log in with wrong password more times than allowed by configuration 2. 3. Actual results: Account is locked out, but this status isn't reflected in WebUI or by command "ipa user-show". It does not reflect either the number of failed attempts. Expected results: The number of failed attempts should be displayed in WebUI or by command "ipa user-show" Additional info:
Display "locked until X"
The attributes we care about are:
- krbLastSuccessfulAuth: 20120213203655Z - krbLastFailedAuth: 20120213203413Z - krbLoginFailedCount: 0
Will add a new command to return status of user on all replicas. Question is whether we'll be able to make authenticated queries against other LDAP servers with S4U2Proxy.
(In #2334) krbLastSuccessfulAuth and krbLastFailedAuth are not being set either.
Going to implement this as a separate command, user-status, which will return a list that will look something like:
server: foo failed login count: 1 last successful authentication: <date> last failed authentication: <date> server: bar failed login count: 0 last successful authentication: <date> last failed authentication: <date>
We have the list of masters in cn=masters,cn=ipa,cn=etc,$SUFFIX.
attachment freeipa-rcrit-956-status.patch
Moving to next month iteration.
master: d5c9f7b[[BR]] ipa-2-2: 418cf11
QE has asked for a few improvements. Because this is called "user-status" they would like it to include the account enable/disabled status.
Simo suggested adding the time that each master was contacted as lockout is very time sensitive.
I will add some guidance on how to read the output to the help.
master: d7f7bb1[[BR]] ipa-2-2: dbc7afc
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.